Microsoft last night released a Fix-It tool as a temporary mitigation for a zero-day vulnerability in Internet Explorer 10 being exploited by two hacker groups against the Veterans of Foreign Wars in the U.S. as well as a French aerospace manufacturer.
IE 9 also contains the same use-after free vulnerability enabling remote code execution, but it is not being exploited, Microsoft said. Microsoft has issued Fix-It tools for a number of zero-day vulnerabilities exploited in the wild in lieu of rushing out an out-of-band patch. The company’s next scheduled Patch Tuesday security updates release is March 11, which is likely the earliest an IE update would be released.
Microsoft has been patching its maligned browser almost monthly for more than a year, including a cumulative update on Feb. 11 that patched 24 vulnerabilities, including one that was publicly disclosed.
Researchers at FireEye reported the Veterans of Foreign Wars attack last week and attributed Operation SnowMan to the same groups behind DeputyDog and Ephemeral Hydra, both of which exploited IE zero-days in watering hole attacks to distribute remote access Trojans in order to spy on targets in government, military, manufacturing and other high value industries.
FireEye found an iframe on VFW.org that used a malicious Flash object to trigger the vulnerability in IE 10. Once on a compromised machine the Flash object downloads the RAT from a command server and executes it. As in the previous attacks, a variant of Gh0stRAT, was used in the SnowMan attacks and connected to some of the same IP addresses. The exploit used in the SnowMan attacks, FireEye said, can bypass memory protection features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) built into Windows.
Yesterday, researchers at Seculert reported that a second group of attackers was using the same vulnerability in the Microsoft browser to impersonate the French aerospace firm and compromise visitors to its website and steal credentials. Reuters reported yesterday that the manufacturer was Snecma, an engine manufacturer. The news agency cited a source who said the malware used against Snecma targeted domains belonging to the company.
Microsoft confirmed FireEye’s finding in a technical description of the vulnerability yesterday:
“To recap, it uses Javascript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables DEP and ASLR to be bypassed. The primitive conversion happens by redirecting a write based on a freed object’s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object. The corrupted size field in the Flash object is used to read and write outside of the object’s boundary, allowing discovery of module addresses in Internet Explorer’s Address Space.”
Seculert CTO Aviv Raff said the second group is likely not affiliated with the Operation SnowMan gang. While exploiting the same vulnerability, the group targeting the French manufacturer used different malware. It drops a backdoor and two executables that steal information from browsing sessions; that data is sent to a command and control server, which is hosted in the U.S. Raff said the malware is signed with a valid certificate belonging to Micro Digital Inc.
The malware changes the host files on infected machines and adds several secure domains for French aerospace companies. While some pharming campaigns have gone this route, Raff said this campaign has a different goal.
“The domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer,” Raff said. “The IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials. This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites.”