Latest IE 0-day still unpatched, attacks exploiting it go back three months
Posted on 30 September 2013.
While Microsoft is yet to issue a patch for the latest Internet Explorer zero-day (CVE-2013-3893), reports are coming in that the flaw has been exploited more widely and for a longer time than initially believed.


Microsoft acknowledged the existence of the vulnerability and its active exploitation earlier this month, and has issued a Fix it tool to mitigate the danger until a patch can be released.

Since then, FireEye researchers have tied the attacks to the Chinese hacking group that hit Bit9 earlier this year, and have shared that the campaign ("Operation DeputyDog") was aimed at Japanese organizations and started on August 19 at the latest.

Then, on Thursday, researchers from both AlienVault and Websense release their findings regarding the exploit used.

Researcher Jaime Blasco says that they have spotted it being hosted on a subdomain of Taiwan's Government e-Procurement System, and discovered that visitors who visited the main page for the first time would be instantly redirected to the exploit page and served with a malicious file.

But not all visitors were targeted - just those whose Windows XP or Windows 7 systems were / are running in English, Chinese, French, German, Japanese, Russian, Korean, and Portuguese, and use Internet Explorer 8 or 9.

Alex Watson confirmed the Taiwan connection.

"Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan," he shared.

"Websense Threat Intelligence indicates that the threat actor's attacks were not limited only to Japan as previously reported. The use of separate IP addresses, domain registrations, and permutations to dropper locations indicates a high degree of segmentation between attacks and different teams using the same tool sets, exploits and C&C infrastructure," he added.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //