UPDATE – There are two parts to this blog…the content below was added after it was discovered that the exploit being utilized was NOT CVE-2012-4792 but rather a zero-day targeting IE-8
Read Part 2 Below – and Jump to Part 1 here
On Wednesday May 1st, Invincea reported that the Dept of Labor website was compromised to re-direct visitors to a website that in turn executed a driveby download exploit of IE8 in order to install the Poison Ivy backdoor Trojan. Our initial reporting and those of other researchers believed that a known vulnerability (CVE-2012-4792) in IE8 was being exploited by this malicious website.
Since this initial reporting, a number of developments have emerged that we summarize in this Part 2 blog. First, the web pages that were compromised on the DoL site are intended for Dept of Energy employees (and their DoL representatives) in dealing with nuclear-related illnesses linked to Dept of Energy facilities and the toxicity levels at each location as reported here. As such the this compromise is now widely believed to be a watering hole attack that involves compromising one Federal Dept (DoL) to target another (DoE). Furthermore, AlienVault is reporting that the C&C protocol involved with this attack matches that of Chinese APT DeepPanda that has been previously analyzed by Crowdstrike.
Today, we announce that after performing additional testing of the exploit described in our original write-up and as confirmed by another source in the Threat Intel community, we have concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as we originally reported. Instead the exploit on the DoL site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code. Below you can see that we have patched IE8 on our XP test system with MS13-008 (KB2799329) that resolves the vulnerability described in CVE-2012-4792. However, we were still able to reproduce the malware infection described in part 1 despite having this patch installed:
Even with this patch for CVE-2012-4792 installed, Invincea has been able to reproduce the exploit as seen below:
Invincea has been notified that Microsoft is aware of this vulnerability and is currently investigating. Fortunately, Invincea users are protected from this threat as well as other zero-day exploits. For non-Invincea users, there are no known mitigations for this exploit that is currently in the wild. For users of IE8, there is no patch currently available and with this exploit being out in the wild, the potential risk for damage is high. If you are not using Invincea, we advise switching to an alternate browser such as Mozilla Firefox or Google Chrome, if possible, until an official patch has been released by Microsoft. Or better yet, get Invincea so you are protected against this and future zero-day exploits. We also performed some limited testing with IE6 and IE7 on the XP platform and the specific exploit code seen in this attack does not appear to affect those browser versions. There are also reports that this vulnerability may affect IE8 on the Windows 7 platform, however Invincea cannot confirm those reports at this time.
This research was in partnership with iSight Partner & we like to acknowledge & thank them for their assistance.
Please contact Invincea here to set up a free trial.
