An organized cybercriminal group is conducting a new targeted attack campaign against users of Internet Explorer, narrowing in on U.S. organizations with strong ties to the defense and financial industries, according to FireEye security researchers.
The new Internet Explorer zero-day attack, made public Sunday, has prompted Microsoft to issue a security advisory, in which it is warning users that the attacks are targeting every supported version of its browser. The cybercriminals are using a malicious link to get users to visit an attack website with the aim of gaining complete control of the victim's PC, Microsoft said. The Redmond, Wash., software giant did not rule out an emergency, out-of-cycle security update to address the issue.
"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," Microsoft said in the advisory. "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."
With Microsoft's ending of support for Windows XP, users likely will remain vulnerable indefinitely, said J.J. Thompson, managing director and CEO of Rook Security, a security solution provider and risk management consultancy. Organizations could enable stricter policies in Internet Explorer, use the Microsoft Enhanced Mitigation Experience Toolkit for maximum coverage and disable Flash as a last resort, he said.
"Protecting end users from this attack may prove difficult, especially so for those that happen to still be using Windows XP," Thompson said.
FireEye researchers, meanwhile, said the attack will not work without the Adobe Flash plugin installed on the victim's PC. The Internet Explorer zero-day exploit bypasses Microsoft's built-in security mechanisms designed to thwart malicious code from executing in memory, the company said. In its advisory issued Sunday, FireEye researchers said it knows the threat actors but declined to give details about the operators behind what it is calling the Operation Clandestine Fox campaign.
"We believe this is a significant zero-day as the vulnerable versions represent about a quarter of the total browser market," FireEye said. "Disabling the Flash plugin within IE will prevent the exploit from functioning."
The attack also prompted an advisory from the U.S. Computer Emergency Readiness Team, which said an attack without the use of Flash may be possible.
FireEye said it observed an attack website loading a malicious Flash file to exploit the browser vulnerability. It corrupts Flash content to gain access to the browser's allocated system memory and then bypasses Address Space Layout Randomization and Data Execution Prevention, two embedded security mechanisms designed to deter attackers from carrying out such attacks.
The FireEye researchers, Xiaobo Chen, Dan Caselden and Mike Scott, said the cybercriminal organization has been tracked since it was first identified in 2010. The attackers specializes in using custom browser-based zero-day exploits against Internet Explorer, Firefox and Flash in previous campaigns, the researchers said. The attack patterns have been difficult to trace and their command-and-control methods easily bypass intrusion detection systems. Once they gain access, typically within seconds, they establish a foothold on the victim's machine, implement a back door for remote access and then move laterally on the victim's corporate network, according to FireEye.
NEXT: Browser Attack Is Serious, Say Solution Providers