Zero Day: IE 8 Falls Victim

Monday, May 6, 2013 @ 12:05 PM gHale

A Zero Day vulnerability in Internet Explorer 8 was the hole attackers took advantage of when they hacked into the Department of Labor (DoL) and, as it turns out, quite a few other sites.

Microsoft confirmed the existence of the vulnerability saying it only affected IE8 on Windows XP and possibly IE8 on Windows 7. IE 6, 7, 9 and 10 do not suffer from the issue, and users should upgrade to one of the last two versions until the company patches the flaw.

DoL Site Spreads PoisonIvy
Department of Labor Site Hacked
Blog Hacked, Phishing Attack Ensues
Phishing Hole: Execs Names Pilfered

Those who don’t can mitigate it by setting Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones, and by configuring IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

This watering hole attack became much larger as researchers said as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations also suffered compromise and are redirecting visitors to a website hosting malware.

“The list of affected sites includes several non-profit groups and institutes as well as a big European company that plays on the aerospace, defense and security markets,” said researchers at AlienVault, and added the server serving the malicious payloads links to previous attacks by a Chinese cyber espionage group called “DeepPanda.”

The original outbreak first broke May 1 when the DoL’s Site Exposure Matrices website suffered infection and attackers had injected javascript via an iFrame that redirected site visitors to a site hosting the PoisonIvy remote access Trojan.

Researchers originally thought the malware was exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL’s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy.

Microsoft confirmed in its advisory this is a remote code execution vulnerability, and IE does not properly handle deleted objects in memory or not properly allocated. Microsoft suggests users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to “high” to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.

The malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, said researchers at security firm, Invincea, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user ends up redirected, a file executes, ports open and registry changes end up made to maintain persistence on the machine.

Leave a Reply

You must be logged in to post a comment.