Internet Explorer Zero-Day Exploit Targets Nuclear Weapons Researchers.
Internet Explorer Zero-Day Exploit Targets Nuclear Weapons Researchers.
Attackers exploited a
previously unknown and currently unpatched security bug in Microsoft's Internet
Explorer browser to surreptitiously install malware on the computers of federal
government workers involved in nuclear weapons research, researchers said Friday.
The attack code appears to have
exploited a zero-day vulnerability in IE version 8 when running on Windows XP,
researchers from security firm Invincea said in a blog post. The researchers have
received reports that IE running on Windows 7 is susceptible to the same
exploit but have not been able to independently confirm that. Versions 6 and 7
of the Microsoft browser don't appear to be vulnerable.
Update: In an advisory published a couple hours
after this article went live, Microsoft confirmed a code-execution
vulnerability in IE8. Versions 6, 7, 9, and 10 of the browser are immune to the
exploit. People using IE8 should upgrade to versions 9 or 10, if at all
possible. Those who are unable to move away from version 8 should take the
following mitigations:
ยท
Set Internet and local intranet security zone settings to
"High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
ยท
Configure Internet Explorer to prompt before running Active
Scripting or to disable Active Scripting in the Internet and local intranet
security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
The attack was triggered by a
US Department of Labor website that was compromised to redirect visitors to a
series of intermediary addresses that ultimately exploited the vulnerability,
according to Invincea. The exploit caused vulnerable Windows machines to be
compromised by "Poison Ivy," a notorious backdoor trojan that had
been modified so it was detected by only two
of 46 major antivirus programs in
the hours immediately following the attack. The specific webpages that were
hacked dealt with illnesses suffered by employees and contractors developing
atomic weapons for the Department of Energy, the blog post said, citing this report from NextGov. That's consistent with
so-called "watering hole" attacks, in which employees of a targeted
organization are infected by planting malware on the sites they're known to
frequent.
"The target of this attack
appears to be employees of the Dept of Energy that likely work in nuclear
weapons research," Invincea researchers wrote in a separate report published Wednesday.
The report went on to cite this
technical analysis from security
firm AlienVault. It found indicators in the command servers Poison Ivy
contacted that the attack was carried out by "DeepPanda," a group of
hackers believed to be located in China and carry out espionage attacks on
other countries.
Initial reports about the
Department of Labor website compromise said an older IE vulnerability thatMicrosoft
patched in January had been
exploited. It was only in Friday's report that Invincea said this assessment is
incorrect.
Comments