Cyberattack highlights software update problem in large organizations

A recent cyberattack targeting U.S. government employees working with nuclear weapons illustrates the vulnerability of large organizations that struggle with deploying protective software upgrades.

The attackers, who compromised a Department of Labor website, exploited a previously unknown vulnerability, called a zero-day flaw, in Internet Explorer 8, commonly found on PCs running Windows XP. Javascript injected in the site redirected visitors using IE8 on XP to a malicious website.

In choosing to go after federal agencies, the attackers understood that many government departments are still using outdated versions of Windows and IE, due to the huge expense of upgrading thousands of people to newer versions. Such migrations involve the difficult task of upgrading many other business applications to support the new OS.

“There’s a lot of government agencies, and commercial entities as well, that simply cannot upgrade to these latest versions,” Eddie Mitchell, security researcher for Invincea, said Monday. “They have internal applications, HR (human resource) applications, payroll applications and such that were designed explicitly to work with Internet Explorer 8, which is why these organizations are still vulnerable.”

Researchers agree that the command-and-control (C&C) servers in the latest attack, discovered last week, have attributes similar to those used in previous assaults originating from China.

FireEye reported that the host name of the C&C servers in the latest attack included the phrase “microsoftUpdate,” which was also used in attacks over the last six months against the Council on Foreign Relations website and news sites in China visited by Chinese dissidents.

[Also see: Army Corps database on dams compromised]

“I’m not going to be surprised if they are originating from the same group,” Zheng Bu, senior director of research for FireEye, said.

FireEye and Invincea have not identified the culprits, but AlienVault reported that the malware is using the same protocol to communicate with the C&C servers as the one used by a Chinese hacking group called Deep Panda. The group is known to attack a variety of U.S. entities, including the high-tech and defense industries and state and federal government agencies.

The pages compromised on the Labor Department site contained information that listed nuclear-related illnesses linked to Department of Energy facilities where employees are developing atomic weapons. Visitors were redirected to the malicious website unknowingly, since there was no obvious change in the browser.

That’s accomplished through the use of JavaScript and HTML inline frames. Called iFrames, the technology is embedded in pages to link to malicious sites. IFrames were the most commonly used exploit in Web-based attacks in the second half of last year, according to Microsoft’s latest Security Intelligence Report. 

Makers of popular exploit kits available in the criminal underground, such as Blackhole and Cool, are expected to incorporate the latest zero-day vulnerability soon, Mitchell said.

“It would not surprise me in the least, based on what we’ve seen in the past, to see this exploit loaded [in kits] in the next day or two, a week at the most,” he said.

Indeed, FireEye reported finding nine other websites besides the Labor Department’s redirecting visitors to the same malicious site. Microsoft issued an alert last Friday notifying customers of the vulnerability. The company has not said when it would release a patch.

“We strongly encourage customers to follow the workarounds listed in the advisory while we continue working on a full update to address this issue,” said Dustin Childs, group manager for response communications for Microsoft Trustworthy Computing.