The web site of the Council of Foreign Relations (CFR) may not have been the only target of sophisticated attackers who used a previously unknown (“zero day”) vulnerability in Microsoft’s Internet Explorer web browser to compromise the computers of those who visited the site, a new report claims.
Eric Romang, a Luxembourg-based security expert at the firm Zataz.com said that he has discovered an almost identical compromise to the CFR hack on the web site of Capstone Turbine Corporation, a California-based manufacturer of small, energy-efficient power turbines. His investigation uncovered malicious files similar to those used on the CFR site that were used to launch a so-called “heap spray” attack against visitors using the Internet Explorer web browser, triggering the zero day vulnerability.
Romang was among the first to isolate the script used to launch the drive by download attack used on the CFR web site. Writing on Wednesday, he said the compromise at Capstone predates the attack against the Council of Foreign Relations ‘s web site by more than two months, suggesting that the attacks were both wider and older than initially reported. Romang’s research also suggests that the CFR hack occurred earlier than was first reported – perhaps December 21st or earlier.
Trusted Computing Group has how-to and demos with Microsoft, GE, Infineon, OnBoard Security, Wibu-Systems at IoT Solutions World Congress. Get your free expo pass code 111B9B47 or discount conference pass code 526E24AF
Romang did not immediately respond to an interview request from The Security Ledger.
It is unclear if Capstone Turbine was, itself, the target of the attack, or whether it was used as a “watering hole” – a target of opportunity that is used to get access to the real targets – individuals who are known to frequent the site, as the CFR web site is believed to have been used.
Based in Chapsworth, California, Capstone Turbine Corp. (NASDAQ:CPST) manufactures small, low-emission turbine generators that are powered by natural gas, diesel, propane or gasoline. Capstone turbines are used as backup power supplies, or to power equipment in remote locations, such as those used for oil exploration. The company claims to be the first to market commercially viable, low-emission turbines. Capstone is also the exclusive distributor of Cleancycle, a technology for micro turbines developed by Calnetix Power Solutions (CPS) that recovers waste heat from industrial processes and uses it to produce electricity. The manufacturing giant GE announced in October that it had purchased CPS. Capstone did not respond to phone or e-mail requests for comment prior to publication.
That fits the profile of companies that are believed to be high-value targets for industrial espionage from firms based in China. A 2011 report from the U.S. National Counterintelligence Executive (NCIX) (PDF) warned that “civilian and dual-use technologies” were a top priority for the Chinese government, which is believed to actively support cyber espionage in the U.S. and elsewhere. That includes so-called “clean technologies” including “energy-generating technologies that produce reduced carbon dioxide and other emissions,” according to NCIX.
The report from Romang adds to the picture of a sophisticated attack that first surfaced late last week, when word of a compromise of the web site of the Council of Foreign Relations first surfaced. The attacks were notable for their reliance on a previously unknown hole in IE.
On Monday, Microsoft issued an emergency fix for that vulnerability, (CVE-2012-4792) which was described in a Security Advisory (#2794220) as a “remote code execution vulnerability” in code that governs the way that “Internet Explorer accesses an object in memory that has been deleted or (improperly) allocated.” The “use after free” vulnerability could allow a malicious attacker to create a malicious web page that would exploit the vulnerability to corrupt memory in a way that could be used to execute arbitrary code in the context of the current user within Internet Explorer, Microsoft said.