Pierluigi Paganini November 11, 2013

FireEye Labs has identified a new IE zero-day exploit used for a watering hole attack in the US. As usual it is crucial to track and mitigate so dangerous threats in time to avoid serious problems.

FireEye Labs has detected a new series of attacks based on the exploit of a new IE zero-day vulnerability in IE browser. The attackers breached a website based in the US to deploy the exploit code to conduct a classic watering hole attack.

The discovery was announced just a few days after Microsoft revealed the Microsoft Zero-day CVE-2013-3906, it is a vulnerability in a Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email. The zero-day vulnerability was found in Microsoft products and allows attackers to install a malware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008.

The new IE zero-day vulnerability detected by FireEye affects Windows XP with IE 8 and Windows 7 with IE 9, the exploit targets the English version of Internet Explorer, but according the experts it can be easily changed to leverage other languages.

Experts at FireEye confirmed that the exploit recently detected leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution, that attackers use the timestamp from the PE headers ofmsvcrt.dll to select the proper exploit.

“The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll.”  explained the researcher Xiaobo Chen and Dan Caselden in the post published by FireEye.

The analysis conducted by the research team at FireEye revealed this IE zero-day affects IE 7, 8, 9 and 10, and as happened for the Microsoft Zero-day CVE-2013-3906 , it can be mitigated by EMET per Microsoft’s feedback.

Very interesting the shellcode, the exploit implements a multi-stage shellcode payload that upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage download an executable and run it from disk.

FireEye experts announced the collaboration with the Microsoft Security team on research activities and the ongoing investigation, the post published has the intent to alert IT community on malicious activities. FireEye, as confirmed by the post title, believes that the IE zero-day exploit could be used for Watering Hole Attack with specific intent to hit groups of individuals of specific interest for the attackers.

Let me add that a similar attack could be classifiable in one the following categories:

• State-sponsored attacks that limited the audience to hit to remain under coverage. State sponsored attacks could be linked to government units or to group of cyber mercenaries, like the case of Icefog team discovered by Kaspersky Lab team.
• Malware based attacks that are conducted by cyber criminal for testing purpose. The malicious code is hosted on breached website visited by a limited portion of Internet users, in this way they retrieve important information to improve the malicious agent avoiding to be detected by security firms.

I cannot be more precise without having information on the nature of the targeted website and the complexity of source code used by the attackers

Pierluigi Paganini

(Security Affairs – Hacking, IE zero-day)