Security Pros Warn of Drowning in IE ‘Watering Hole’ Attack

Microsoft has confirmed a report of an Internet Explorer zero-day exploit. Redmond also confirmed it is being leveraged in an active campaign attack. Version 10 of IE is reportedly vulnerable to the so-called watering hole attack.

EUFireEye Labs has identified a new Internet Explorer (IE) zero-day exploit hosted on a breached Web site based in the U.S.,EU FireEye wrote in a blog post on Thursday. EUItEUs a brand new zero-day that targets IE 10 users visiting the compromised Web site -- a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it.EU

How the Watering Hole Works

FireEye first discovered what it has dubbed EUOperation SnowmanEU on Feb. 11. The zero-day exploit targets CVE-2014-0322 and is being served up from the U.S. Veterans of Foreign WarsEU Web site.

EUWe believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. capitol in the days leading up to the Presidents Day holiday weekend,EU the firm reported. EUBased on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns.EU

HereEUs how it works: After compromising the VFW Web site, the attackers added an iframe into the beginning of the Web siteEUs HTML code that loads the attackerEUs page in the background, FireEye explained. The attackerEUs HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit.

FireEye said the exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript. Specifically, visitors to the VFW Web site were silently redirected through an iframe to the exploit at www.[REDACTED].com/Data/img/img.html.

No Out-of-Band Patch Required

We caught up with Tyler Reguly, manager of security research for Tripwire, to get his take on the zero...

Comments are closed.