Attackers were able to compromise the U.S. Veterans of Foreign Wars’ website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence.
According to researchers at FireEye, the campaign, dubbed Operation SnowMan, follows in the footsteps of operations DeputyDog and Ephemeral Hydra, two campaigns that recently used IE zero days to carry out watering hole attacks, dropping remote access Trojans to takeover machines.
While a number of retired military personnel use the site, VFW.org, active military personnel also frequent it, potentially putting sensitive military information at risk.
FireEye noticed the “classic drive-by download” style attack on Tuesday after discovering that an iframe had been appended to the beginning of the website’s HTML code. The iframe contains a corrupted Flash object that goes on to trigger the IE 10 vulnerability, (CVE-2014-0322), a use-after-free bug in the browser.
From there the Flash file downloads a XOR-encoded payload from a remote server, decodes it and executes it.
According to FireEye it starts off as a .JPG image, then the .JPG is attached to the shellcode which is executed to produce two files, sqlrenew.txt and stream.exe, before its executed with a Windows API call.
Like DeputyDog, SnowMan deploys an HTTPS version of Gh0stRAT, a remote access Trojan that has been spotted connecting to some of the same IP addresses as DeputyDog. SnowMan can let the attacker modify one byte of memory at an arbitrary address, meaning it can also bypass ASLR, or Address Space Layout Randomization, along with DEP, Data Execution Prevention, both security features in Windows.
A quintet of researchers – Darien Kindlund, Dan Caselden, Xiabo Chen, Ned Moran and Mike Scott – described the campaign on FireEye’s blog yesterday, acknowledging that the time frame of the attack, “amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,” could have helped the attackers.
Winter storm Pax forced much of the U.S. Capitol to shutter Thursday and Monday of course is a U.S. holiday, President’s Day, a time lapse that could give the attackers the window they need.
While the attack is targeted, Jerome Segura, a researcher with MalwareBytes, was able to reproduce the zero-day on Windows 7 on Internet Explorer 10 with the latest version of Flash Player today, showing how easy it may be for an attacker to replicate.
Users running IE 11 or using Microsoft’s Experience Mitigation Toolkit (EMET) are not at risk because the iframe will abort exploitation under those conditions. The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit.
According to FireEye the threat has several connections to the DeputyDog and Ephemeral Hydra campaigns. All of them use a zero-day to deliver a RAT and use a 0×95-encoded payload – obfuscated by a .JPG extension – among other traits.
Additonally there are a handful of infrastructure overlaps and connections between SnowMan, EphemeralHydra and DeputyDog, including similar domains and IPs. The code found in the Flash file and the way the shellcode is executed share similarities with the attacks as well, suggesting they may be intertwined.
Researchers at security firm Websense had also been looking into the zero day and published information about it shortly after FireEye on Thursday.
While Websense agrees with FireEye that the attack appears to have correlations with DeputyDog and EphemeralHydra, Websense claims it first saw it being used in exploits as far back as Jan. 20, about three weeks before FireEye noticed it.
Websense researchers Alex Watson and Victor Chin write that the attack could also be targeting the Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS) a French aerospace association.
According to the two, the exploit was at one point hosted and distributed via a (U.S.-based) site masquerading as GIFAS’ site, suggesting the French group, or those visiting its website may be a target in addition to those visiting the VFW website.
It’s a small difference but Websense’s analysis also notes that a malicious Shockwave file, not a Flash file, downloads the .JPG payload that leads to the attack.
Counting the US military this week, FireEye points out the threat actors have targeted a swathe of industries with the attacks including but not limited to: law firms, NGOs, mining companies, Japanese firms and IT companies.
FireEye discovered the DeputyDog attack, which also targeted Internet Explorer (both 8 and 9) and delivered a payload via an image file, back in September. That attack targeted Japanese media and government outlets via a watering hole attack, dropping a McRAT variant onto compromised computers.
Ephemeral Hydra, which came to light in November and and dropped a McRAT variant, this time on a U.S.-based non-governmental organization in order to secure “industry-specific intelligence.”
Microsoft has not yet issued an official security advisory about the vulnerability but it likely will soon, in addition to potentially releasing a workaround for IE 10 users. The company has announced it will not release an out-of-band patch for the vulnerability. Microsoft’s next scheduled Patch Tuesday update is March 11.
Microsoft acknowledged the vulnerability on Friday and until the update, encouraged users to update to IE 11.
“Microsoft is aware of limited, targeted attacks against Internet Explorer 10,” a Microsoft spokesperson said, “Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.”
The news comes just a few days after the Microsoft released February’s Patch Tuesday update, including the last minute MS14-010 bulletin which addressed 24 vulnerabilities in the browser.