New Microsoft Zero-Day Attack Targeting U.S. Businesses


A new Microsoft Internet Explorer zero-day vulnerability is being used in a targeted campaign against U.S.-based organizations interested in national and international security policy.

Researchers at security vendor FireEye said they detected the zero-day exploit hosted on a breached website based in the U.S. The exploit is being used to deliver an advanced persistent threat, attacking individuals with a data-stealing Trojan used in previous targeted campaigns, the researchers said.

"The attackers inserted this zero-day exploit into a strategically important website," FireEye said in its analysis of the attack issued on Sunday. "This campaign has proven to be exceptionally accomplished and elusive."

[Related: Dangers Ahead In Microsoft Dismissal Of Windows XP]

The name of the breached website where the exploit was found has been withheld. The firm said the cybercriminals behind the attack appear to be the same group responsible for a string of targeted campaigns, including the Bit9 data breach. The exploit targets users of Internet Explorer 7-10 and is believed to work on Windows XP and Windows 7 systems. FireEye said it worked with iSight Partners in discovering and researching the exploit.

In the latest discovery, FireEye said the same infrastructure was used in a string of targeted campaigns this year against individuals in Japan, South Korea and the U.S. The Trojan that is used in the attack is a variant of one used against Bit9 and in the Operation Aurora campaign of 2009 that targeted Google and other large tech companies. That campaign is believed to have originated in China.

Microsoft has not yet responded with a security advisory, but the software maker plans a critical update to Internet Explorer on Tuesday, repairing flaws that impact all supported versions of the browser. Microsoft's engineers are also still working on a patch to repair a zero-day vulnerability impacting Office and Windows Vista. That attack exploits a flaw in the way Windows handles TIFF graphics files.

Solution providers told CRN that they are not advising their customers to use alternative browsers. The risk of an attack isn't likely going to be reduced because every browser has vulnerabilities, and attackers also target browser components, said Rob Kraus, director of research at managed security services provider Solutionary. Kraus said businesses would be better off educating employees about safe browsing habits and ensuring that the latest patches are implemented.

"If an attacker wants to gain access to your system, it's very likely that they're going to find a way in one way or another," Kraus said. "Rather than simply reacting to every threat, organizations are better off assessing their security programs and focusing on getting better at the basics."

The FireEye researchers said the latest zero-day attack is an example of the growing sophistication of hacker techniques. The Trojan installs itself in memory only, never writing itself to disk, making it easier to evade detection from traditional security systems. It also makes it more difficult for forensics investigators to track and analyze, the firm said.

"APT actors are clearly learning and employing new tactics," the researchers said. "With uncanny timing and a penchant for consistently employing zero-day exploits in targeted attacks, we expect APT threat actors to continue to evolve and launch new campaigns for the foreseeable future."

PUBLISHED NOV. 11, 2013