IE Zero-Day Watering Hole Attack Expands to Handful of Political Sites

The scope of watering hole attacks utilizing a previously unreported vulnerability in Internet Explorer has widened to as many as four new sites, all of them with politically charged leanings.

The scope of watering hole attacks utilizing a previously unreported vulnerability in Internet Explorer has widened to as many as four new sites, all of them with politically charged leanings.

The attacks further demonstrate the effectiveness of watering hole attacks compared to phishing attacks for example, which require some advance legwork in order to target victims.

“The whole point of the waterhole tactic is that they believe such sites, although usually not with high numbers of users, will have interesting visitors,” said Jindrich Kubec, a researcher with Avast Software in the Czech Republic. “Maybe [the attackers] believe that this may be less guarded in an enterprise environment. This only needs passive visitors of the website.”

Kubec said two Chinese human rights sites, a Hong Kong newspaper site and a Russian science site are infected with the Flash exploit of IE8. Luxembourg-based researcher and Metasploit contributor Eric Romang identified one of the Chinese sites as the home of the dissident Uygur Haber Ajanski group. Romang said the site is still hosting the exploit and urges users to stay away.

Romang also said a Taiwanese travel agency Phil-Am Tour, was also hosting the same infected file, but has since been cleaned.

Initial reports of the attack came earlier this week when an attack against the influential Washington, D.C.-based Council on Foreign Relations website was discovered. A malicious Adobe Flash. swf file was discovered on the site and infecting visitors using Internet Explorer 8. IE 6 and 7 also contain the same use-after free memory corruption vulnerability, but the exploit targeted IE 8 users only.

The CFR is a foreign-policy resource and numerous public, political figures are listed among its members and directors. Yesterday, Romang also identified Capstone Turbine Corp., an energy microturbine manufacturer as also hosting the exploit on its website. Capstone’s equipment is present in many prominent en energy utilities.

Avast, meanwhile, said two of the infected sites are hosting the same binary with the same configuration, which also matches an attack reported in September against a separate IE zero-day that was attributed to the Nitro gang in China. Those attacks were serving the PlugX and Poison Ivy remote access Trojans. Kubec said Avast’s CommunityIQ threat service reported detections on Dec. 9 on the new sites.

“At least two of the sites use the same spyware binary with exactly same configuration,” Kubec told Threatpost. “The rest look a bit different, but we haven’t investigated it thoroughly yet.”

Microsoft, meanwhile, insists the scope of the attacks are limited because most of its users are on IE9 and IE10 and have moved off the older versions of the browser; Microsoft said it will not have an IE update ready for Tuesday’s upcoming Patch Tuesday security updates. A Fix It was released Monday as a temporary mitigation. Kubec said that 33 percent of Avast’s CommunityIQ users are on Internet Explorer, and 50 percent of them are on IE8 or older.

“One of the reasons for high IE8 numbers may be Microsoft’s decision not to put IE9 to [Windows] XP,” Kubec said.

The CFR compromise brought these attacks to light. Attackers used a malicious Adobe Flash file called today.swf to launch a heap spray attack against IE, overrunning memory and enabling an attacker to remotely execute code on an infected computer. The Javascript hosting the exploit checks first to see if the Windows language is set to either English, Chinese, Japanese, Korean or Russian before executing. It also uses cookies to ensure the attack is delivered only once.

The vulnerability, Microsoft said, occurs in the way IE access an object in memory that has been deleted or not properly allocated. Memory may be corrupted and allow an attacker to execute code with the user’s privileges.

Suggested articles


  • EricDorlock on

    I believe more websites are going to be discovered over the next few days or weeks that are hosting this IE zero-day exploit. A patch should have already been released, but since Microsoft hasn't yet published one, the attackers are already having success with compromising websites. This patch needs to be out soon and fast!

  • trojkilla on

    The uygur unsesi site had a CVE-2012-4969 'Grumgog.swf' exploit on it back in October.

  • Anonymous on

    why don't you just switch to another browser? 



  • Anonymous on

    >why don't you just switch..

    anyone hear crickets?


  • environengineer on

    "Why don't you just switch to another browser?"  Ever heard of IT department mandates to use only the browser they support or sites you must do business with that only support IE?  I normally do not use IE for personal use, but at work I am required to use it.

  • Ivor on

    As much as the application form procedure of no credit check payday loans have concerns, individuals usually stay assured with acquiring highest benefit and also wide variety involving options. They could sometimes opt for the regular way of putting on and also may continue with the innovative moderate connected with on-line companies. Generally, people get for the second selection, the way it permits them to save lots on his or her campaigns along with moment. In this technique, physical exercises ought to refill a hassle-free on the web application form that's available on the website in their favorite loan company. This manner predominantly requests for career along with details of the applicant. All over this technique of setting the money request, not even as soon as, your customer is necessary to browse the loaner's workplace. Consequently, dozens of consumers, who will be seeking for instant method to obtain personal cash really should certainly visit for this particular mortgage loan selection.Will be your negative credit file stopping you moving forward through investing in money? In this sort of cash you can rely on no credit check payday loans which don't exclusively present satisfactory dollars to meet a person's pressing fees but additionally assist you to transform your credit history. By making use of for this loan you'll be able to fix many type of personal difficulties.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.