A hack of the U.S. Department of Labor web site that was revealed late last week is being described as a “watering hole” style attack aimed at compromising the systems of other government workers, in part using an exploit for a previously unknown (or “zero day”) security vulnerability in some versions of Microsoft’s Internet Explorer web browser.(*)
Multiple reports last week indicated that a security breach of the Department of Labor web site had occurred. Accounts indicated that visitors to the site using versions of Internet Explorer were being attacked using exploits for a known vulnerability. Over the weekend, however, researchers analyzing the attacks say that it used an exploit for a zero day hole in IE8, and that details of the attack tie it to a China-based hacking group known as “DeepPanda.”
In a blog post on Friday, researchers at the security firm Invincea said that they believed that the vulnerability targeted during the attack only affected IE8 and was a previously undiscovered “use-after-free memory vulnerability” that could give a remote attacker the ability to run malicious code on a vulnerable system. Invincea said that, even after applying MS13-008 (KB2799329), the recent patch that resolves the vulnerability believed to have been the target of the attack, “we were still able to reproduce the malware infection” used in the attack.
In a security bulletin published Friday, Microsoft said it is looking into the reports and is “aware of attacks that attempt to exploit this vulnerability.”
“We released Security Advisory 2847140 to alert customers to a vulnerability affecting Internet Explorer 8. Internet Explorer 6, 7, 9 and 10 are not affected,” said Dustin Childs, Group Manager, Response Communications, Microsoft Trustworthy Computing in an e-mail statement. “We strongly encourage customers to follow the workarounds listed in the advisory while we continue working on a full update to address this issue.”
“Use after free” vulnerabilities have become increasingly common targets of malicious hackers. They occur when a program allows an attacker to access areas of memory that had been allocated, but were now “free” for reuse. Accessing the areas of memory can cause applications to crash, creating the condition by which attackers can place malicious code on vulnerable systems. Malicious hackers can set up web pages that exploit the vulnerability when visited using vulnerable versions of affected browsers.
According to a report on the web site NextGov, the compromised pages used in the attacks were related to “Site Exposure Matrices” published on the Department of Labor’s web site. Those matrices (or lists) describe “nuclear-related illnesses linked to Energy facilities and toxicity levels at each location that might have sickened employees developing atomic weapons.” Anup Ghosh, the CEO of security firm Invincea, wrote that the attack “bears the hallmarks of a classic watering hole attack targeting certain employees working in nuclear weapons for the (Department) of Energy.”
Microsoft has advised its customers to apply software updates and consider installing its Enhanced Mitigation Experience Toolkit (EMET) to help fight infections.
This is just the latest in a series of so-called “watering hole” attacks targeting government workers and political figures within the U.S. government. In January, a compromise at the website of The Council on Foreign Relations was widely seen as an effort to gain access to influential D.C. policymakers and officials. A similar incident affecting the web site of The National Journal was reported in March. In watering hole attacks, victims aren’t attacked directly. Rather, attackers compromise a trusted, third-party web site that the intended targets are likely to visit, then launch a silent attack when they visit the site.
In a recent analysis of “Deep Panda,” the group believed responsible for the attacks, the firm Crowdstrike said that the group was known to “target various strategic interests of the United States including High Tech/Heavy Industry, Non-Governmental Organizations (NGOs), State/Federal Government, Defense Industrial Base (DIB), and organizations with vast economic interests.”
(*) Updated to add comment from Microsoft. PFR 5/6/2013