Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.
According to a Websense report, the exploit source code deployed in at least two incidents – one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars – appears to have been made public. This publication and the subsequent addition of the zero-day to popular crimeware kits seems to have spurred the uptick, at least in part. As Websense notes, once exploit code like this goes public, generating attacks using it is essentially as easy as “copy and paste.”
Another factor contributing to the IE zero day vulnerability’s increased exploitation is likely the sheer amount of press it received, especially after researchers announced they would demonstrate a total bypass of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) at CanSecWest in Vancouver this week. This EMET bypass is both relevant and significant because the Redmond, Wash., computer giant urged its customers to install and run EMET as a temporary mitigation against this very same zero-day.
In addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.
It all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.
Once this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.
In the case of Hatobus, the popular Japanese travel site, attackers buried the redirecting iframe in some javascript files on the site. The exploit too was hosted on the site, which makes it all the more inconspicuous since shady redirects are a generally a dead giveaway for protective software. The exploit code in this case, according to Websense, was nearly identical to that used in the first attack. The only real difference is that the attackers piggybacked a second, Java exploit, which aimed to install a banking trojan targeting members of a popular Japanese bank. Unlike earlier, targeted attacks, the Hatobus variety sought to infect as many machines as possible.
Both other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.
“It’s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,” wrote Websense’s Elad Sharf. “We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it “evolved” in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected “under the radar” targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.”