Internet Explorer zero-day vulnerability actively being exploited in the wild

Security researchers at FireEye have detected a new series of drive-by attacks based on a new Internet Explorer zero-day vulnerability. The attackers breached a website based in the US to deploy the exploit code to conduct a classic watering hole attack.

The discovery was announced just a few days after Microsoft revealed the Microsoft Zero-day CVE-2013-3906, a Zero-day vulnerability in Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email.

Microsoft graphics component zero-day vulnerability allows attackers to install a malware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008.

Recently reported new Internet Explorer zero-day vulnerability detected by FireEye affects the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, but according the experts it can be easily changed to leverage other languages.

Experts at FireEye confirmed that the exploit recently detected leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution, that attackers use the timestamp from the PE headers ofmsvcrt.dll to select the proper exploit.

“The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll.” explained the researcher Xiaobo Chen and Dan Caselden in the post published by FireEye.

The analysis conducted by the research team at FireEye revealed this IE zero-day affects IE 7, 8, 9 and 10, and as happened for the Microsoft Zero-day CVE-2013-3906 , it can be mitigated by EMET per Microsoft’s feedback.

Very interesting the shellcode, the exploit implements a multi-stage shellcode payload that upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage downloads an executable and run it from disk.

FireEye experts announced the collaboration with the Microsoft Security team on research activities and the ongoing investigation, the post published has the intent to alert IT community on malicious activities.

FireEye, as confirmed by the post title, believes that the IE zero-day exploit could be used for Watering Hole Attack with specific intent to hit groups of individuals of specific interest for the attackers.

“As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations,” said the company. The hackers are also employing novel methods to frustrate forensic investigation techniques.

Let me add that a similar attack could be classifiable in one the following categories:

• State-sponsored attacks that limited the audience to hit to remain under coverage. State sponsored attacks could be linked to government units or to group of cyber mercenaries, like the case of Icefog team discovered by Kaspersky Lab team.
• Malware based attacks that are conducted by cyber criminal for testing purpose. The malicious code is hosted on breached website visited by a limited portion of Internet users, in this way they retrieve important information to improve the malicious agent avoiding to be detected by security firms.

I cannot be more precise without having information on the nature of the targeted website and the complexity of source code used by the attackers.