IE Zero-Day Exploit Used In Attack Targeting Military Intelligence

← Back to Stories (view on slashdot.org)

IE Zero-Day Exploit Used In Attack Targeting Military Intelligence

Posted by samzenpus on Thursday February 13, 2014 @07:58PM from the protect-ya-neck dept.

wiredmikey writes "Security researchers from FireEye have discovered a new IE 10 Zero-Day exploit (CVE-2014-0322) being used in a watering hole attack on the US Veterans of Foreign Wars' website. According to FireEye, attackers compromised the VFW website and added an iframe to the site's HTML code that loads the attacker's page in the background. When the malicious code is loaded in the browser, it runs a Flash object that orchestrates the remainder of the exploit. Dubbed 'Operation SnowMan' by FireEye, the attack targets IE 10 with Adobe Flash. According to a recently-released report from CrowdStrike Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China. FireEye believes the attackers behind the campaign, thought to be operating out of China, are associated with two previously identified campaigns: Operation DeputyDog and Operation Ephemeral Hydra. 'A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,' FireEye said."

58 comments

Min score:

Reason:

Sort:

They use IE by Anonymous Coward · 2014-02-13 20:14 · Score: 2, Insightful

And without anykind of Flash blocker? God they're even more stupid than I originally theorized.
1. Re:They use IE by Anonymous Coward · 2014-02-13 20:25 · Score: 1, Funny
  
  Which part of "Microsoft product" did they not understand?
Update to IE11 by Anonymous Coward · 2014-02-13 20:17 · Score: 0

Its already fixed. It would be rather easy to take a look at bugs fixed in Software version N and go back and see if they were backported to N-1.
1. Re: Update to IE11 by Anonymous Coward · 2014-02-13 22:11 · Score: 0
  
  the patch came out a few days ago.
Its not soup yet by icebike · 2014-02-13 20:19 · Score: 3

Every time I think Microsoft has their browser house in order, and it might be safe to use IE occasionally, stuff like this hits the fan.

--
Sig Battery depleted. Reverting to safe mode.
1. Re:Its not soup yet by Anonymous Coward · 2014-02-13 20:40 · Score: 0
  
  Every time I think Microsoft has their browser house in order, and it might be safe to use IE occasionally, stuff like this hits the fan.
  It depends on which sources you read for your security vulnerability info, some are cherry picking the stories more than others.. The vulnerability reports from the different security labs paint a quite different picture of the relative security and number of serious vulnerabilities between the major browsers. Almost all reports show IE doing better than fx Chrome and Safari.
2. Re: Its not soup yet by Anonymous Coward · 2014-02-13 20:54 · Score: 0
  
  IE, as of about version 9, is on par with other major browsers in terms of security. It only gets more publicity because, let's face it, it's IE, and still the most widely used browser.
3. Re: Its not soup yet by icebike · 2014-02-13 21:11 · Score: 4, Insightful
  
  IE, as of about version 9, is on par with other major browsers in terms of security. It only gets more publicity because, let's face it, it's IE, and still the most widely used browser.
  It depends on who you ask.
  http://gs.statcounter.com/ shows Chrome clearly in the lead.
  http://www.w3counter.com/globa... also shows chrome leading.
  Wikimedia says Chrome leads http://stats.wikimedia.org/wik...
  Just because its common doesn't mean its used. And you don't see these stories about Firefox or Chrome, at least not many. And given the market share that Chrome enjoys you would expect to see many more stories.
  You've fallen for the old Microsoft lie:
  They insist We are attacked because we are popular.
  The real story is they are attacked because they are easy targets.
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re: Its not soup yet by RulerOf · 2014-02-14 00:19 · Score: 1
  
  It's more of a problem with IE because Microsoft needs to grow a pair and start pushing patches for remote code execution vulnerabilities the way Google and Mozilla do.
  
  They should still let administrators override them, but I say MS puts WSUS clients on a clock to decline the update centrally. But let's face it... too many shops slack in ensuring their Windows machines are up to date. When it comes to a patch being the difference between "browse the web" and "click this link to turn your computer into a mafia-controlled zombie," it should be downright difficult for a computer with an internet connection to facilitate the latter. Even in that regard, Google could stand to force the browser restart after a certain amount of time... I can't even recall how many times I've seen three beet-red lines in the top right corner of someone's Chrome windows.
  
  --
  Boot Windows, Linux, and ESX over the network for free.
5. Re:Its not soup yet by Type44Q · 2014-02-14 02:33 · Score: 2
  
  IE Zero-Day Exploit Used In Attack Targeting Military Intelligence
  IE... Military Intelligence...
  Now I understand why those last two words are considered a blatant contradiction. :p
6. Re: Its not soup yet by Anonymous Coward · 2014-02-14 03:17 · Score: 0
  
  I get what you're trying to say, and you have a valid point, but you are mistaking total page views for user base. IE has a larger active user base than Chrome, but they view less pages. Hence why NetMarketShare has IE over Chrome.
7. Re:Its not soup yet by Anonymous Coward · 2014-02-14 04:02 · Score: 2, Insightful
  
  This exploit relies on TWO concurrent vectors: 1) You must be running and using IE10 (which has already been superseded by IE11, which is immune to this attack) and 2) You must have Adobe Flash installed.
  BOTH of these conditions are necessary for this attack to work. Anyone who has kept their updates up (and therefore has IE11), doesn't use Flash or has installed the EMET (http://technet.microsoft.com/en-us/security/jj653751) is immune to this attack which is, obviously, actually just ANOTHER Flash-based vulnerability! and yet you limit your spurious attacks to (an outdated version of) Internet Explorer (*surprise*) ...
  Clearly the same ole /. FUD factory continues spouting it's age-old hypocrisy...
  -AC
8. Re:Its not soup yet by cavreader · 2014-02-14 07:09 · Score: 1
  
  Since when has the VFW been a military intelligence agency? That's like saying the President keeps his confidential information off a link on the WhiteHouse.org public site or the FBI provides a link to their confidential information on their public site.
9. Re: Its not soup yet by icebike · 2014-02-14 12:39 · Score: 1
  
  No, IE doesn't have a larger active user base. That is what these statistics are showing you.
  IE may be more available, because its on almost every computer shipped. But it is not the most used browser. People avoid it. They don't USE it. They refuse to be among the "user base".
  The page views measure usage, not availability, and clearly Chrome wins the page-views. And that is all that matters.
  
  --
  Sig Battery depleted. Reverting to safe mode.
10. Re: Its not soup yet by Billly+Gates · 2014-02-14 14:16 · Score: 1
  
  Chrome has had 3 emergency updates since version 32 came out in December due to security issues!
  Stop the IE bashing as it is old. Infact, Firefox is less secure than modern IE is as it is not sanboxed or runs in lowrights mode which means it has access to the file system.
  There have been thousands of exploits of all 3 browsers since their infancy.
  
  --
  http://saveie6.com/
11. Re:Its not soup yet by Type44Q · 2014-02-15 02:03 · Score: 1
  
  Since when has the VFW been a military intelligence agency?
  I didn't RTFA (and so had no idea the VFW were involved), but... have you ever met those guys?? Fact is, if you're a Rambo-type, you've gotta be able to do it all yourself; strategy, combat, procurement/logistics... and intel.
12. Re:Its not soup yet by cavreader · 2014-02-16 08:21 · Score: 1
  
  The Veterans of Foreign Wars (VFW) is a non-profit support organization for veterans who have served in every war since 1899. It lobbies for veteran benefits while also organizing and participating in community service initiatives with military veterans. They were instrumental in creating the GI Bill of Rights in 1944. I have never forgotten what my grandfather once told me when I was 10 years old. We were driving past a VFW sign and I made the kind of joke a 10 year old makes and said "oh look it's the very funny women" office. My grandfather stopped the car and in the most serious voice I had ever heard from him he told me that's not funny in the least and never show that kind of disrespect towards the VFW ever again. At the time I was a little young to understand what he was upset about but in later years I came to understand. He was a WW2 veteran who survived both Iwo Jima and Okinawa and the VFW was a life line for him and many others who came home from that terrible war and desperately needing support to put the horrors they experienced behind them and do so with others that understood what they experienced. The VFW mission has not changed and that's saying a lot in this world where principles and honor are discarded on a whim in return for political expediency and juicy sound bites.
Sigh by ledow · 2014-02-13 20:25 · Score: 3, Insightful

If military intelligence are using IE 10 with Flash enabled, they really need to drop the last half of their name.
1. Re:Sigh by satuon · 2014-02-13 20:53 · Score: 1
  
  I run Chrome, but I've set the flash-plugin to be always-ask. That combines the best of both worlds - I still can watch flash videos if I want, at much less risk.
2. Re:Sigh by Anonymous Coward · 2014-02-13 21:20 · Score: 0
  
  > If military intelligence are using IE 10 with Flash enabled, they really need to drop the last half of their name.
  Pffht. Groucho Marx knew that long time before IE10 (and long time before IE6 at that!).
  Ah, btw. Beta sucks.
3. Re:Sigh by c0lo · 2014-02-13 22:09 · Score: 2
  
  If military intelligence are using IE 10 with Flash enabled, they really need to drop the last half of their name.
  ummm... somebody please explain how "US Veterans of Foreign Wars" equates "military intelligence"
  (I mean, in other ways than "they were the one to survive, so they may not be stupid").
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
4. Re:Sigh by mgf64 · 2014-02-13 23:23 · Score: 2
  
  Military intelligence is an oxymoron.
5. Re:Sigh by StormReaver · 2014-02-14 00:45 · Score: 1
  
  Military intelligence has always been an oxymoron, so this shouldn't surprise anyone.
"watering hole" attack by Anonymous Coward · 2014-02-13 20:33 · Score: 0

that's a new one. Still waiting for the "snake in the grass" attack and "mother-in-law has moved in" attack
1. Re:"watering hole" attack by icebike · 2014-02-13 20:43 · Score: 2
  
  Not that new.
  Its been around since 2009 at least. The term is best explained by the above article.
  However the RSA has started slinging this name about in 2012.
  The hallmark is simply planting your malware where your targets often go.
  
  --
  Sig Battery depleted. Reverting to safe mode.
Military intelligence by Anonymous Coward · 2014-02-13 20:56 · Score: 3, Funny

Biggest oxymoron since Microsoft works.
"military intelligence" by Anonymous Coward · 2014-02-13 21:05 · Score: 0

It's 2014 - can't we stop putting those two words together? It's like "religious reason" or "ideological pragmatism".
VFW? by smittyoneeach · 2014-02-13 21:54 · Score: 3, Insightful

Dude, the VFW is substantially a drinking club for old warhorses.
TFA is akin to saying the Commies infiltrated DFW to score information on the U.S. Air Force.
YHBT. HAND.

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
1. Re:VFW? by dbIII · 2014-02-13 22:02 · Score: 1
  
  Since B52's are still in the air (for example) that may not actually be a bad idea.
2. Re:VFW? by Anonymous Coward · 2014-02-14 01:28 · Score: 1
  
  The VFW is also visited by current military members. Bigger yet are retirees that are now contractors. Those are targets.
3. Re:VFW? by Mashdar · 2014-02-14 02:11 · Score: 1
  
  While TFS is a bit overblown, the idea is that currently employed people might go to the VFW website. (vet != retired)
4. Re:VFW? by Anonymous Coward · 2014-02-14 06:58 · Score: 0
  
  Imagine Hank Hill and friends but with Lots-O-Medals
5. Re:VFW? by ValentineMSmith · 2014-02-14 07:46 · Score: 2
  
  Uhh... No.
  At least, not my post. And our post (and district, and department) are trying really really hard to break this old stereotype. Now, I'm not going to tell you that ethanol isn't ingested in a VFW club. But there's no drinking at a meeting, and many of the posts in our district are finding that those that live by the drinking club, die by the drinking club. Our post doesn't have a club, and we're in a much better financial position to help needy veterans and their families because of it.
  And leadership? Fully half the leadership of my post and district are Gulf War (or later) veterans.
  We exist to help each other and help other veterans. Period.
  The problem is that those stereotypes still persist, because people enjoy perpetuating them. And because, in a lot of instances, the VFW (and the American Legion) don't really go out of their way to announce what they're doing. They just do what needs to be done and walk away.
  We just don't drop the money on the advertising campaigns that Wounded Warrior Project does. If you take a look, though, at how much the CEO of WWP makes and compare that to the salary of the VFW National Commander (and American Legion National Commander), you'll see why most veterans' organizations are pretty irritated with WWP.
  
  --
  Karma: Chameleon - mostly influenced by bad '80s New Wave music
This is not news. by etash · 2014-02-13 22:12 · Score: 0

News would be: no new exploits have been found in IE during the last year.
VFW by westlake · 2014-02-13 23:39 · Score: 1

This is the VFW
Robert H. Jordan VFW Post 7125
and this is the VFW: Where the V.F.W. Is Both Tough and Feminine
IE or Flash? by Alarash · 2014-02-13 23:42 · Score: 1

How's that an IE vulnerability if it uses Flash as a vector? Are they adding the iFrame in a non-standard way that only IE is susceptible to?
1. Re:IE or Flash? by Zero__Kelvin · 2014-02-14 00:31 · Score: 2
  
  " Exploitation is aborted if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET). "
  It is a flash vulnerability, but they are only tageting IE version 10 sans EMET.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
2. Re:IE or Flash? by hawkinspeter · 2014-02-14 00:36 · Score: 1
  
  It's an IE vulnerability (use-after-free to bypass ASLR) that loads a flash-based payload. Just because the payload is in flash doesn't mean that the vulnerability is not in IE.
  
  --
  You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
3. Re:IE or Flash? by RabidReindeer · 2014-02-14 02:47 · Score: 0
  
  How's that an IE vulnerability if it uses Flash as a vector? Are they adding the iFrame in a non-standard way that only IE is susceptible to?
  More likely that since (squeaky Ballmer voice at anti-trust hearing) "Internet Explorer is an integral part of Microsoft Windows" that the exploit was able to tunnel out of Flash and into IE (acting as the container) and thence into Windows.
FireEye by westlake · 2014-02-13 23:56 · Score: 1

"They continue to under-promise and over-deliver. And that continues to be their sort of mantra."
FireEye expects a loss of 51-56 cents per share for the quarter.
Cybersecurity firm FireEye sees weak revenue, warns on costs Feb 11
95% of all networks are compromised. Is yours secure?
Intelligence? by Zero__Kelvin · 2014-02-14 00:27 · Score: 1, Insightful

They use IE and then wonder why we say "Military Intelligence" is an oxymoron?

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Really? by nospam007 · 2014-02-14 00:37 · Score: 2

'US Veterans of Foreign Wars'
Are there any others alive?
1. Re:Really? by ltrand · 2014-02-14 02:32 · Score: 3, Informative
  
  Plenty of veterans have never been in a combat zone. The American Legion allows any veteran with an honorable discharge to join. The VFW requires time in a recognized foreign combat zone.
  
  So, while I could join the VFW because of my time in OIF, my uncle can't because he served during peace (80's & 90's) and did not see combat.
So it's been like what... by Anonymous Coward · 2014-02-14 01:15 · Score: 1

15 years since Microsoft announced they were going to take Security seriously in Windows? And there's been like what 10 major versions if Internet Explorer? (6 of which were since this big decision) And we're still seeing zero-day exploits coming out?
NOT Attack against military sites by Anonymous Coward · 2014-02-14 01:18 · Score: 0

It's the VFW site...come on, people.
Stop using Flash! by Anonymous Coward · 2014-02-14 01:48 · Score: 0

Seems to me the common problem always is Flash player. Its the open door to a lot of exploits. I simply do not use Flash with IE ever! If you want Flash content then use Chrome or Firefox with a click to Flash add On. Something that isolates Flash player far better then IE. The only way to help protect you in IE from Flash exploits is try using Active X filtering. I don't know of many who actually do this, but it will help.
Bad title by jodido · 2014-02-14 02:29 · Score: 2

I think someone pointed this out already but let me emphasize--hacking the VFW for getting "military intelligence" suggests that the hackers know approximately zero about what the VFW is. First of all, a huge percentage of anyone with access to worthwhile military intelligence is not in the military at all. Second, the VFW--rtf initials--Veterans of Foreign Wars--and since very few Iraq or Afghanistan veterans ever joined, the average age is about 90. My first thought at reading this was that the hackers are from some very foreign country using MS Word for translation from English.
1. Re:Bad title by Anonymous Coward · 2014-02-14 08:55 · Score: 0
  
  Correct, except the average age being 90. Most of them are in their sixties and were in Vietnam, very few of them from Korea will you find there. And there were no foreign wars from 1975 until the first Iraq war, so no veterans from that era.
VFW? Military Intelligence? IE what, sonny? by Anonymous Coward · 2014-02-14 03:45 · Score: 0

With great respect to the Veterans of Foreign Wars (VFW), these fine old gentlemen
play bingo, cards, drink beer, reminisce, do community outreach, and sponsor many
fine programs to help today's youth succeed tomorrow.
What they do not do is military intelligence.
Also it's unlikely they have a computer let alone that should they have one it has
anything past IE6 on it ;)
Targeting a VFW is worse than targetting your grandmother's house.
Mark
Here's another Oxymoron by Spiked_Three · 2014-02-14 07:51 · Score: 1

Secure OpenSource

--
slashdot troll = you make a compelling argument I do not like the implications of.
Re:VFW? Military Intelligence? IE what, sonny? by ValentineMSmith · 2014-02-14 07:58 · Score: 1

Not necessarily. A lot of our membership is still in the Reserves or National Guard. If they can get inside the military network, they can have a little bit of fun. When I was in, all of the truly classified stuff was on an internal network that was actually physically separated from the Real World. I can't swear that this is still the case, but I'd be greatly surprised if it wasn't.

--
Karma: Chameleon - mostly influenced by bad '80s New Wave music
Target: Military "Intelligence" by Jeremiah+Cornelius · 2014-02-14 09:02 · Score: 1

Nothing of value was lost or impaired.

--
"Flyin' in just a sweet place,
Never been known to fail..."
IE11 is pretty good (for IE) by Anonymous Coward · 2014-02-17 02:54 · Score: 0

Only 1 thing wrong w/ IE imo, & it's mostly "flexibility-related" (as opposed to what I feel's the MOST natively flexible + natively 'feature-laden' browser there is, Opera 12.16):
1.) The ability to SELECTIVELY make policies per site, especially regarding the usage of things like javascript, frames/iframes, plugins (on demand usage ONLY), cookies, JAVA, + referrer information etc. PER SITE (globally blocking them, but only makiing 'exceptions sites' as is needed for using those items enmasse OR individually on said site(s)). That I can do in Opera (true Opera, not "chopera"), however I cannot in ANY build-version of IE.
* IF an MS built IE browser could do that? I *might* even consider using it as my default browser...
(Why?? Those things ARE the 'doorways' INTO your PC is why - by global default making them disabled on ALL sites by default (& for say, shopping or banking sites that demand database access ONLY, I turn them on...))
IE in most any form has 1 thing going for it though - it's really NICE for doing INTRANET apps in a business environs via Visual Studio/ASP.NET though - that's always been an actual STRENGTH of it from my perspective as a developer @ least, largely in business environs 1994-2014 in an MIS capacity.
APK
P.S.=> Yesterday, a pal of mine showed me a VERY flexible build of an IE "Trident" engine based browser called AVANT (which even has a sort of native 'adblock' feature built in based on the sqlite flatfile db engine + regular expressions based filtering vs. them) & a LOT more features than that I can't even BEGIN to list here (& fit it into a single post), that ALMOST has me wanting to give it a shot over IE 11 (or possibly, even Opera 12.16 64-bit here)...
... apk