Attacks multiply as hackers target unpatched IE flaw
Browser vulnerability remains unpatched as hackers focus attacks
September 30, 2013 — CSO — Hackers were moving rapidly toward widespread distribution of an exploit for a previously unknown vulnerability in Internet Explorer that awaits a patch from Microsoft, security experts say.
Since Microsoft acknowledged the critical vulnerability nearly two weeks ago, the number of hacker-led campaigns targeting corporate networks have increased steadily. Experts agree that an exploit for the flaw will soon be packaged in popular malware development kits available online in the criminal underground.
Indeed, Rapid7 reported Monday that a module for the IE exploit has been added to its popular Metasploit tool used by penetration testers to check software for vulnerabilities.
Adding the exploit to Metasploit is an indication of how the vulnerability has become "truly public knowledge," according to Patrick Thomas, security consultant for Neohapsis. The module can only be tested on IE9 on Windows 7 SP1 with either Office 2007 or Office 2010.
"We do not believe it will be long before we see widespread distribution of the exploit," Alex Watson, director of security research for Websense, said.
"The criminals are attempting to use this vulnerability as fast as they can; before Microsoft patches the exploit in a regular Patch Tuesday, or perhaps in an out of band patch."
Microsoft is scheduled to distribute its monthly patch release Oct. 8. Because the software maker has released a temporary fix for the flaw affecting all versions of IE, experts do not expect a permanent fix until the upcoming release.
The temporary Band-Aid is 32-bit only, making it useless to organizations running 64-bit Windows operating systems.
Meanwhile, FireEye reported Monday at least three more advance persistent threat (APT) campaigns targeting the IE vulnerability. While the attackers were using the same exploit, they represented three separate groups.
One group FireEye called Web2Crew was coding the exploit into Poison Ivy, a remote access Trojan that has been popular for almost a decade. The RAT has been used in high-profile attacks in the past, such as the 2011 RSA breach that compromised its SecureID authentication token.
FireEye reported finding the latest exploit hosted on a server in Taiwan. The target appeared to be a financial institution that had been targeted in previously reported campaigns.
The second group of hackers dubbed Taidoor were using malware of the same name, which was found in a compromised Taiwanese government website. The same site had been used in a separate APT attack reported earlier.
The Taidoor group was targeting the same financial services firm as Web2Crew, FireEye said.