The scope of a watering hole attack targeting the U.S. Department of Labor website widened significantly over the weekend. Researchers are reporting that as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations have also been compromised and are redirecting visitors to a website hosting malware.
Microsoft, meanwhile, released an advisory warning Internet Explorer 8 users that the attackers are exploiting a zero-day vulnerability in Internet Explorer 8, and not CVE-2012-4792 as originally was reported. Yesterday morning, a Metasploit module was released for this vulnerability, heightening the likelihood of additional attacks or inclusion into a commercial or private exploit kit.
Microsoft urges IE 8 users to upgrade to a newer version of the browser—IE 6, 7, 9 and 10 are not vulnerable—and that it will either release an out-of-band patch or address the flaw in an upcoming Patch Tuesday release. The next scheduled Microsoft security updates are next week.
The original outbreak was made public May 1 when it was reported that the DoL’s Site Exposure Matrices website was infected and attackers had injected javascript via an iFrame that redirected site visitors to a site hosting the Poison Ivy remote access Trojan.
The espionage malware was originally thought to be exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL’s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy, and researchers at Invincea speculated that the attackers’ targets were downstream employees of the Department of Energy who work on nuclear weapons programs.
Invincea CTO and founder Anup Ghosh confirmed that a previously unreported use-after free vulnerability was being exploited in this attack and that only IE 8 was affected. Ghosh said his researchers were still able to reproduce an infection on a Windows XP machine running Windows 8 that was patched with MS13-008 that addressed CVE-2012-4792.
Microsoft confirmed in its advisory that this is a remote code execution vulnerability, and that IE does not properly handle objects in memory that have been deleted or not properly allocated. Microsoft suggests that users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to “high” to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.
The malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.
Alien Vault Lab manager Jaime Blasco said that researchers had detected redirects to another server at sellagreement[.]com. That domain was also serving some of the malicious payloads found on dol[.]ns01[.]us. Blasco recommends checking logs for connections to either of those domains.
From the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.
The Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.