Internet Explorer 0-day attacks on US nuke workers hit 9 other sites

ArsTechnica

Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said.

So, just another IE8 vulnerability? Not so fast. This is a fresh, new zero-day attack, meaning this exploit uses a previously unknown software defect to deliver its payload. These occur, but not often.

Another aspect that makes it interesting is that it seemed to narrowly target US nuclear workers.

Such "watering hole" attacks—which plant malware exploits on websites that are frequented by specific groups or people—have become a common technique in targeted attacks. Once compromised by the IE zero-day, computers are infected with a version of Poison Ivy, a backdoor tool that has been widely used in past espionage campaigns. The command-and-control servers used to communicate with infected machines show signs that they were set up by a Chinese hacking crew known as DeepPanda.

Researchers at FireEye have also delved into the exploit circulating online. They found it uses "return oriented programming," a technique used to defeat data-execution prevention and other exploit mitigations. The FireEye researchers said they also verified the exploit works against IE8 on Windows 7.

Because of the way this exploit was delivered, I would strongly suspect this is the work of another government (China?), not a few script kiddies sitting in the mom's basement.

What is still unclear from the article is what systems, if any, may have been compromised in this attack.

reply to post by AnonymousCitizen


DHS and others put out official bulletins a few days ago warning that an attack was likely today and that it might target infrastructure, Government systems and corporate computers.

I hadn't thought much of it....after all, Crying wolf happens so much these days, I'm tired of the crying. I guess even they can be right occasionally. Ouch.

This is the tip of an iceberg ahead. I'm sure of it. It will not be contained to the initial target audience however, I can assure you.

reply to post by AnonymousCitizen


It sounds like just an intel/info gathering operation.

If its IE8 then hopefully it will have minimal impact if people have upgraded to IE9.

Originally posted by PhoenixOD
If its IE8 then hopefully it will have minimal impact if people have upgraded to IE9.

Unfortunately, while most retail users have indeed upgraded, often corporate, defense, and industry computers have not been updated because they are required to use specific/approved versions. Windows XP and IE8 is (sadly) still pretty common in those circles.

On the other hand, this should protect most home users.

Why do people who work at places that would be targeted have access to the internet ?
Surely sensitive networks should be blocked from external access & internal networks should never be allowed to communicate to any internet enabled computers .