posted on May, 7 2013 @ 12:08 PM
Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least
nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit
groups and institutes, security researchers said.
So, just another IE8 vulnerability? Not so fast. This is a fresh, new zero-day attack
meaning this exploit uses a previously unknown software defect to deliver its payload. These occur, but not often.
Another aspect that makes it interesting is that it seemed to narrowly target US nuclear workers.
Such "watering hole" attacks—which plant malware exploits on websites that are frequented by specific groups or people—have become a common
technique in targeted attacks. Once compromised by the IE zero-day, computers are infected with a version of Poison Ivy, a backdoor tool that has been
widely used in past espionage campaigns. The command-and-control servers used to communicate with infected machines show signs that they were set up
by a Chinese hacking crew known as DeepPanda.
Researchers at FireEye have also delved into the exploit circulating online. They found it uses "return oriented programming," a technique used
to defeat data-execution prevention and other exploit mitigations. The FireEye researchers said they also verified the exploit works against IE8 on
Because of the way this exploit was delivered, I would strongly suspect this is the work of another government (China?), not a few script kiddies
sitting in the mom's basement.
What is still unclear from the article is what systems, if any, may have been compromised in this attack.