Veterans Targeted In Attack Using IE 10 Zero Day

Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms.

VFW Home Page
The website of the VFW was used in a cyber attack on current and former service members, the firm FireEye said Thursday.


Some visitors to the web site of the Veterans of Foreign Wars (VFW), vfw[dot]org, were the victim of a ‘watering hole’ attack that takes advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. The VFW site was hacked and then altered to redirect users, silently, to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system. 

The VFW did not immediately respond to e-mail and phone requests for comment.

According to a write-up by the security firm FireEye, the vulnerability allows the attacker to “modify one byte of memory at an arbitrary address” stored in the memory of the affected system. That allows the attacker to bypass Windows’ Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP)  key features designed to make it harder to run unauthorized code on Windows systems. 

Once attackers have a foothold on compromised systems, a malicious program dubbed ‘ZxShell backdoor,’ a common malware tool FireEye said has been used in previous cyber espionage incidents.  Telltale markers uncovered in the forensic analysis of the attack suggest that the zero day exploit and the malware deposited on victims’ systems are of recent vintage. 

FireEye Blog
FireEye detailed the VFW attack finding similarities to other attacks on military and civilian targets in the US, Europe and Asia.

FireEye discovered the attack on February 11 in traffic served up from vfw[dot]org. The company said that initial analysis of the attack suggests that it is part of a “strategic Web compromise targeting American military personnel.” FireEye said evidence points to hacking groups responsible for similar campaigns, including ‘Operation DeputyDog,’ which targeted high-profile Japanese firms as well as the US security firm Bit9, and ‘Operation Ephemeral Hydra,’ targeting military and public policy personnel.

The security firm Symantec also said it has evidence of attacks using a previously unknown hole in IE 10, though the company declined to name the web site. In a blog post Thursday, Symantec said its initial analysis found that the backdoor used in this attack takes “screenshots of the victim’s desktop and allows the attacker to take control of the victim’s computer.” FireEye dubbed the latest attack ‘SnowMan,’ saying that the attackers’ timing, which coincided with a huge snowstorm affecting the Washington D.C. area and the (upcoming) President’s Day federal holiday on Monday was no coincidence.

This week also saw the release of Microsoft’s monthly security patches, with the date of the malicious binary the same as Microsoft’s Patch Tuesday. Online attackers have long timed the release of new attacks to just after the Patch Tuesday, forcing Microsoft to wait a month to issue a patch, or push out a rare out-of-cycle software update.

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website,” FireEye wrote. 

We’ll have more details on this as they become available.

Comments are closed.