Lucene search

threatpostChris BrookTHREATPOST:174CD32833BE921F59C5BEFC8DB73DBC
HistoryOct 01, 2013 - 3:45 p.m.

Three New APTs Spotted Piling On IE Zero Day

Chris Brook

0.964 High




Attackers are continuing to pile on a critical Internet Explorer zero day that remains unpatched two weeks after it was reported.

During the last two weeks, it appears that at least three separate targeted attack campaigns have been using the same bug previously used by Operation Deputy Dog, a campaign that wound up compromising Japanese media outlets and tech systems in the middle of September.

Researchers at FireEye initially discovered the DeputyDog campaign – which leveraged the CVE-2013-3893 vulnerability – a little over a week ago. Now word comes that three other, unconnected campaigns, Taidoor, th3bug and Web2Crew are also using the same exploit.

Web2Crew was spotted on September 25 using the Internet Explorer vulnerability to drop the remote access Trojan PoisonIvy onto machines – some belonging to a financial institution. While the exploit was hosted on a server in Taiwan, an IP address from Hong Kong was used to host its command and control server, an IP address that FireEye associated with Web2Crew during the month of August.

Thanks to the CVE-2013-3892 vulnerability, Taidoor, a type of malware that was seen compromising victims in Taiwan over the summer surfaced on a Taiwanese government website on Sept. 26.

Lastly, FireEye also noticed a campaign by malicious actor th3bug using the vulnerability on Sept. 27. That campaign, much like Web2Crew, unleashed a PoisonIvy payload to those who visited any websites it compromised.

FireEye’s Ned Moran and Nart Villeneuve, who wrote a blog entry about the new campaigns yesterday note that this is a usual occurrence.

“It is not uncommon for APT groups to hand off exploits to others, who are lower on the zero-day food chain – especially after the exploit becomes publicly available,” the two wrote.

While the exploit isn’t publicly available per se, it certainly has become more widespread throughout the cybercrime underground as of late. On Monday Metasploit released an exploit module for the vulnerability, something that will almost assuredly ramp up attacks using the bug.

While Microsoft released a FixIt tool for the bug in September and urged older IE users to download and apply it, some thought the company might still issue an out of band patch to fix the flaw. At this point, with the company’s usual Patch Tuesday release scheduled for next Tuesday, it seems that users will remain vulnerable for at least another week.