Cybercriminals used the Department of Labor website late last month in an attempt to target individuals with nuclear engineering skills in an attack that used a dangerous Microsoft Internet Explorer zero-day vulnerability.
Microsoft said that it was aware of attacks targeting a zero-day vulnerability in Internet Explorer 8. The remote code execution vulnerability enables an attacker to gain access to a victim's system and can be used in drive-by attacks.
"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer," Microsoft said. "An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
Microsoft credited Milpitas, Calif.-based FireEye with discovering the vulnerability. In a blog post analyzing the attack, FireEye said the exploit it detected checks for the operating system version of the system and appears to only run on Windows XP machines. The firm warned that other attacks could use the exploit to also target Internet Explorer 8 running on Windows 7 PCs.
[Related: Top 10 Malware Threats To Microsoft PCs]
"Our research indicates a new IE zero-day is used in this watering hole attack, although some other vendors claim they are using known vulnerabilities," FireEye said.
Watering hole style attacks are used by nation-state sponsored attackers to target groups of individuals in cyberespionage campaigns. The attackers target a website that is regularly visited by the specific people they are targeting and use a website vulnerability to set up a drive-by attack to infect website visitors with malware. The attack detected in late April was on the Department of Labor's Site Exposure Matrices page, which provides toxic substances data to Department of Energy Employees.
Dov Yoran, co-founder and CEO of malware analysis firm ThreatGRID, said watering hole attacks are one of a number of techniques used to target groups of individuals.
"It's gaining more popularity and there's much more research driven into detecting them," Yoran told CRN. "It's yet another way to get at an individual at a company."
The latest attacks could be connected with China-based attackers, according to an analysis conducted by security vendor AlienVault Labs. The attack attempts to disable antivirus on the victim's system and collects information on the Java, Microsoft Office and Adobe software versions running on the PC. "Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website," wrote AlienVault researcher Jaime Blasco.
The attack may be part of an advanced exploit kit, wrote a technical leader for the threat research group of Security Intelligence Operations at Cisco. In a blog analyzing the threat, Craig Williams wrote that the victim's browser will automatically decode the malware payload and the exploit will execute while the Web page is rendering.
"These techniques, combined with the attempts to bypass security devices by encoding the payload, make this one of the more technically interesting attacks so far this year," Williams wrote.
PUBLISHED ON MAY 6, 2013