An Internet Explorer zero-day flaw believed to have been used in an attack limited to Japan and Korea also appears to have been used against several firms and a government entity in the United States, according to new analysis of the threat.
The attack campaign using the zero-day exploit appears to have been broader than once thought, said security vendor Websense. The firm said it detected attacks in late August against a U.S. construction and engineering firm. The attack campaign appears to be financially motivated, attacking a variety of industries in Japan, Korea and Hong Kong as well as the U.S. to steal account credentials from victims.
"It appears that the perpetrators behind this campaign target entities that belong to different industries over a selected set of geolocations, which reaffirms the notion that these kinds of campaigns operate on a global scale and focus on a variety of industries that are not necessarily related," Websense said in its threat analysis. "The perpetrators behind these campaigns are innovative and employ zero-day exploit code, but it also appears that their work is customized for their targets since we witnessed older exploits that have already been patched being used in selected attacks."
[Related: Top 5 Zero-Day Threats Of 2013]
Microsoft issued an update Tuesday repairing 10 Internet Explorer vulnerabilities including two zero-day flaws that had been used in attacks in the wild. One of the zero-days was widely known and tied to the Bit9 data breach and attacks in Japan. The second zero-day vulnerability, discovered by security firm Trustwave, came as a surprise to some researchers and was thought to also be limited to individuals running Windows XP and Internet Explorer 8 in Japan and South Korea. Both vulnerabilities are memory corruption errors and use a similar technique to execute code on the victim's PC.
Victims of the attack over the last month came from firms in the financial industry, manufacturing, government agencies, and engineering and construction firms, Websense said. Attackers were smart to keep attacks at a low-volume and use a targeted method, extending the time it took for security firms to identify the threat and add protection against it, the firm said.
Trustwave's research team have been closely monitoring the command and control server used by the attackers behind the campaign, said Ziv Mador, director of security research at Trustwave. Mador said the group behind the attacks also used a variety of exploits targeting older, patched vulnerabilities.
"The last attacks we saw were in Japan and Korea, but of course there's nothing in these exploits that would limit them to those geographies," Mador told CRN.
The attack attempts to identify the end-user machine's language. The code validates that the user's machine runs Windows XP with Internet Explorer 8. If it doesn't, the attack will terminate, Mador said. Some of the malware dropped on victims' machines attempts to seek out passwords to online gaming platforms. One malware sample redirected users of a popular Korean bank to a malicious website in an attempt to steal account credentials.
PUBLISHED OCT. 9, 2013