The scope of watering hole attacks utilizing a previously unreported vulnerability in Internet Explorer has widened to as many as four new sites, all of them with politically charged leanings.
The attacks further demonstrate the effectiveness of watering hole attacks compared to phishing attacks for example, which require some advance legwork in order to target victims.
“The whole point of the waterhole tactic is that they believe such sites, although usually not with high numbers of users, will have interesting visitors,” said Jindrich Kubec, a researcher with Avast Software in the Czech Republic. “Maybe [the attackers] believe that this may be less guarded in an enterprise environment. This only needs passive visitors of the website.”
Kubec said two Chinese human rights sites, a Hong Kong newspaper site and a Russian science site are infected with the Flash exploit of IE8. Luxembourg-based researcher and Metasploit contributor Eric Romang identified one of the Chinese sites as the home of the dissident Uygur Haber Ajanski group. Romang said the site is still hosting the exploit and urges users to stay away.
Romang also said a Taiwanese travel agency Phil-Am Tour, was also hosting the same infected file, but has since been cleaned.
Initial reports of the attack came earlier this week when an attack against the influential Washington, D.C.-based Council on Foreign Relations website was discovered. A malicious Adobe Flash. swf file was discovered on the site and infecting visitors using Internet Explorer 8. IE 6 and 7 also contain the same use-after free memory corruption vulnerability, but the exploit targeted IE 8 users only.
The CFR is a foreign-policy resource and numerous public, political figures are listed among its members and directors. Yesterday, Romang also identified Capstone Turbine Corp., an energy microturbine manufacturer as also hosting the exploit on its website. Capstone’s equipment is present in many prominent en energy utilities.
Avast, meanwhile, said two of the infected sites are hosting the same binary with the same configuration, which also matches an attack reported in September against a separate IE zero-day that was attributed to the Nitro gang in China. Those attacks were serving the PlugX and Poison Ivy remote access Trojans. Kubec said Avast’s CommunityIQ threat service reported detections on Dec. 9 on the new sites.
“At least two of the sites use the same spyware binary with exactly same configuration,” Kubec told Threatpost. “The rest look a bit different, but we haven’t investigated it thoroughly yet.”
Microsoft, meanwhile, insists the scope of the attacks are limited because most of its users are on IE9 and IE10 and have moved off the older versions of the browser; Microsoft said it will not have an IE update ready for Tuesday’s upcoming Patch Tuesday security updates. A Fix It was released Monday as a temporary mitigation. Kubec said that 33 percent of Avast’s CommunityIQ users are on Internet Explorer, and 50 percent of them are on IE8 or older.
“One of the reasons for high IE8 numbers may be Microsoft’s decision not to put IE9 to [Windows] XP,” Kubec said.
The CFR compromise brought these attacks to light. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to either English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.
The vulnerability, Microsoft said, occurs in the way IE access an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user’s privileges.