Criminals rush to exploit IE 0-day before the announced fix
Posted on 11 March 2014.
Last week Microsoft has announced that today's Patch Tuesday will include a fix for the critical IE zero-day vulnerability that was found exploited in watering hole attacks earlier this year - and none too soon, as a number of bad actors have been using the same exploit code in other similar attack since then.


Initially, the exploit was used to compromise the visitors of a fake French aerospace association GIFAS site and the legitimate but compromised website of the US Veterans of Foreign Wars. Seculert researchers believe that the two attacks weren't executed by the same group, but that the two groups bought the attack code from the same black market seller.

But in the last month or so, Websense has detected three more websites compromised to either redirect to the exploit or to serve it, as the exploit code has obviously ended up in the public domain.

First is hatobus.co.jp, the site of a popular Japanese transportation website that gets as much as 25,000 visitors each week.

"At the moment, hatobus.co.jp appears to be down for maintenance with a message letting us know that the website has been breached," the researchers shared. "Looking at some telemetry, we can confirm that the website was breached and served code leading to the exploit utilizing CVE-2014-0322 through a sneaky iFrame. The iFrame that seamlessly redirected browsing users to the exploit was buried in one of the Javascript files that were served by the web server specifically at hxxp://www.hatobus.co.jp/js/rollover.js."

In this particular case, the attackers used both this and exploit code for a Java vulnerability (CVE-2013-2465) to double the chances of success, and the victims would ultimately be saddled with a banking Trojan harvesting credentials for two Japanese banking sites.

The other two compromised websites belong to a Taiwanese English School and to Hong Kong University's Chemistry Department. The former had the exploit on the main page.

"It's evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries," the researchers pointed out.

"We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it 'evolved' in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected 'under the radar' targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware."









Spotlight

New Zeus variant targets users of 150 banks

Posted on 19 December 2014.  |  A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Mon, Dec 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //