Researchers discover new campaign targeting American military personnel

Researchers, after investigating a new Zero-Day attack, have discovered a new campaign targeting American military personnel

Update 2:

The VFW has issued an official statement, but has kept it brief due to the fact they are "working with federal law enforcement officials on the investigation..."

On February 12, the VFW National Headquarters was notified of a unique and evolved attack on its website. The attackers were able to breach several layers of VFW cyber-security software, installing malicious code that would prompt a malware download to the computers of visitors to vfw.org using Internet Explorer 9 or 10. VFW immediately identified the threat and rectified the code. At this point, there is no indication that any member or donor data was compromised. VFW is currently working with federal law enforcement and a computer security incident response team to locate the source of the attack and determine the extent of the event.

Update:

There have been some developments in this story. The first is from Microsoft. They've updated their original statement, adding that both Internet Explorer 9 and 10 are impacted by the vulnerability, and that both are being targeted. In addition, Microsoft is recommending that users of either browser update to Internet Explorer 11.

"Microsoft is aware of limited targeted attacks against Internet Explorer 10.  Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected.  We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection."

The other development comes from Websense.

Researchers there have confirmed the attackers behind the VFW compromise, started their targeted campaign as early as Jan 20, by going after the European aerospace and defense association.

"The initial target of the attack is GIFAS. GIFAS is a French aerospace industries association that has more than 300 members including major prime contractors and system suppliers as well as small specialist companies.

"By targeting the association, the attackers are [targeting] the entire aero-defense industry of France, and other European countries, as GIFAS is also a member in the Aerospace and Defense Industries Association of Europe. The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors involved in previous targeted attacks against high value targets is most likely behind the malicious URL used in this attack."

Websense has a technical write-up on their blog. I've been in touch with the VFW and will update if they provide any additional details.

Finally, FireEye says that the VFW has removed the malicious IFRAME used in the attack, and that their current projection as it relates to the number of potential victims is on the order of hundreds or thousands. In either case, they said the "estimate is low."

The original story is on page two.

Original Article:

On Thursday, FireEye published a brief warning about drive-by download attacks that are targeting a new vulnerability in Internet Explorer 10. Additional research into the vulnerability, and the source of the attacks, has led researchers to conclude that the incident is related to two others, and that it's an active campaign targeting military personnel.

FireEye's initial warning was brief, simply explaining that the attack started on a breached website in the U.S., and confirmed the issue as a Zero-Day vulnerability in Internet Explorer 10.

From FireEye:

"Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it. This post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities. We will continue to update this blog as new information about this threat is found."

Microsoft confirmed the attack, and noted that they were investigating the issue. In a statement to Salted Hash, Microsoft said:

"Microsoft is aware of targeted attacks against Internet Explorer, currently targeting customers using Internet Explorer 10. We are investigating and we will take appropriate actions to help protect customers."

Hours after the initial warning, FireEye released an update, noting that the U.S. website in question, the source of the attacks, was the U.S. Veterans of Foreign Wars domain (VFW / vfw.org):

"We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified..."

The exploit targets Internet Explorer 10 with Adobe Flash, but the attack is aborted if the user is browsing with a different version of Microsoft's browser, or if EMET is installed. Thus, the answer is to avoid Internet Explorer 10 (by upgrading or using an alternate browser) and use EMET. For home users, this isn't an issue really, but in the office - that's a different matter entirely.

The attack itself targets a Zero-Day vulnerability, and bypasses ASLR and DEP - two of Microsoft's top defenses against attacks such as these. FireEye has outlined the technical details of the attack itself on their blog.

As mentioned, the VFW campaign has been linked to two other attacks, named DeputyDog and Ephemeral Hydra respectively, due to the infrastructure used by the attackers, and the similarities between the tradecraft being employed by them. According to FireEye, the actors behind the VFW attack and the others have now targeted U.S. government entities, Japanese firms, the defense industrial base, law firms, IT companies, and NGOs.

"The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term."

Related:

Copyright © 2014 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!