IE fix easily broken; Espionage hacker gang has endless supply of zero-days

Although Microsoft issued a Fix-It Band-Aid for the critical zero-day hole in Internet Explorer 6, 7 and 8, the company did not have a patch listed in the advanced security bulletin for Patch Tuesday. But pressure is mounting for Microsoft in regard to the IE zero-day, since Exodus Intelligence researchers claimed to have easily bypassed the quick fix.

Brandon Edwards, vice president of Intelligence at Exodus, said, “Usually, there are multiple paths one can take to trigger or exploit a vulnerability. The Fix It did not prevent all those paths.” Edwards added, “After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week.”

The story gets darker as Symantec has linked the latest IE watering hole attacks to an espionage hacker gang called “Elderwood.” The company was “able to confirm that this latest Internet Explorer zero-day is a continuation of the Elderwood Project.” Symantec reported, “It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hole attacks and we expect them to continue to do so in the New Year.”

In fact, according to The Elderwood Project, a Symantec report [PDF], “The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent.”

The scale of the attacks, in terms of the number of victims and the duration of the attacks, are another indication of the resources available to the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information-let alone analyze that information-could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.

Symantec added that the newest IE vulnerability is the ninth zero-day that the Elderwood gang has used in a 20-month period from 2010 to 2012. The other eight zero-days either exploited IE or Adobe’s Flash Player.

NBCNews said:

Elderwood refers to a common malware platform used in an ongoing series of attacks on companies and organizations, dating back to the 2009 Operation Aurora intrusions into the networks of Google and dozens of other Western corporations.

Few of the companies attacked during Aurora would confirm that they had been hit or identify their attackers, but Google did both. It pinned the blame squarely on hackers working for or with the Chinese government. (Beijing strenuously denies all allegations that it is behind any attacks.)

“The team behind these operations appears to be in the top tier of professional attack teams, possessing the ability to do original research to find new vulnerabilities in popular applications such as Adobe Flash and Internet Explorer, and then write exploits for those flaws,” wrote ThreatPost. “The Elderwood team also seems to have an uncanny ability to sense when one of the zero days it has been using is about to be disclosed publicly. It often will shift to using a new vulnerability shortly before one of its current favorites is exposed, suggesting the crew watches the developments in the underground and legitimate security communities closely.”

Meanwhile, according to TheNextWeb, Jindrich Kubec, director of Threat Intelligence at Avast, said “four websites are currently trying to exploit the flaw, while five different webpages have already been taken offline.” This extremely targeted IE watering hole attack was first discovered as a drive-by-download on the Council of Foreign Relations website.

PCMag added that Avast discovered “two Chinese human rights sites, a Hong Kong newspaper site and a Russian science site had been modified to distribute a Flash exploiting the vulnerability in Internet Explorer 8.” A travel agency in Taiwan was also targeted. “Security researcher Eric Romang found the same attack on energy microturbine manufacturer Capstone Turbine Corporation’s website, as well as on the site belonging to the Chinese dissident group Uygur Haber Ajanski. Capstone Turbine may have been infected as far back as Dec. 17.”

Like Google and Mozilla, Microsoft is blocking fraudulent digital certificates issued by the certificate authority TURKTRUST Inc, but pressure is mounting for Microsoft to officially patch and close the IE zero-day hole.

Like this? Here’s more posts:

• Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
• Police State starts in tiny Arkansas town
• Killer robots, indestructible drones & drones that fly and spy indefinitely
• Chrome, Firefox, IE to block fraudulent digital certificate
• Terrorism Fear button and funding: Ridiculous DHS spending
• Microsoft issues quick fix for critical zero-day hole in IE
• Airborne intelligence: U.S. Army building NextGen surveillance planes
• TSA: All your travel are belong to us?
• Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
• Future smart spies: Innovative leaps in 2012

Follow me on Twitter @PrivacyFanatic