Cyber criminals expand use of CVE-2014-0322 before Patch Tuesday
Posted by Elad Sharf on 10 March 2014 06:24 PM
In advance of the Internet Explorer zero-day referenced by the CVE-2014-0322 patch that will commence on patch Tuesday the March 11, we thought it would be helpful to look at how this exploit was utilized in the lure stage, since this may unveil some of the tactics used by crimeware and targeted attack actors in this day and age. We've seen this latest zero-day employed by targeted attacks involving a cybersquatted domain that appeared to target the French Aerospace Association, as we described in our previous blog post on the subject. Since then, exploit instances utilizing CVE-2014-0322 have been carried out in crimeware attacks in the wild, and it seems that the exploit source code used in the initial attacks was made available publicly, which contributed to the usage of the zero-day.
The exploit code availability in the public domain led to additional exploit instances popping up in the wild and was seen coming from compromised websites by actors that were looking to make a quick profit from the security hole. In this blog, we're going to take a look at the initial cybersquatted website used to employ the zero-day and different high-profile websites that served the zero-day for crimeware propagation. Specifically, we're going to look at the lure stage of the attacks to understand how code was used in that stage with the ultimate aim of redirecting victims to the exploit.
Top websites seen injected with malicious code leading to the exploit utilizing CVE-2014-0322:
gifas.assso.net - Impersonating GIFAS French Aerospace Association website (http://gifas.asso.fr), hosted in Santa Clara, CA
hatobus.co.jp - Japanese Travel Website, hosted in Tokyo, Japan
english.com.tw - Taiwanese English School, Hosted in San Antonio, Texas, USA
chemistry.hku.hk - Hong Kong University Chemistry Dept, Hosted in Hong Kong, China
vfw.org - Veterans of Foreign Wars, Hosted in Blue Springs, Missouri, USA
The initial lure and attack vector - cybersquatted domain @ hxxp://gifas.assso.net
The lure in the initial attacks appears to have been a cybersquatted domain, @ hxxp://gifas.assso.net, taking advantage of the legitimate domain, hxxp://gifas.asso.fr, that is part of the French Aerospace Association. The attack effectively employed the fake domain with some copied content from the legitimate website along with an additional *iFrame* the led to the exploit located on the same host at hxxp://gifas.assso.net/include.html. We can see that there are still references on the cybersquatted website that the code was copied from another website in the form of a "watermark" tag below the iFrame that indicates <!-- saved from ...
[click to enlarge]
The fake gifas.assso.net is hosted on IP address 126.96.36.199. This IP seems to host some other hosts with malicious code. We found the IP hosted update19.homelinux.org, which is an exact replica of gifas.assso.net and is probably a test bed before launching the actual attack.
High-profile compromises utilizing CVE-2014-0322
As described, the code that manages to exploit CVE-2014-0322 was available publicly and from that point, it's very easy for different actors to employ or more like "copy and paste" the exploit code and to change the dropper payload to what they desire to infect users with. Of course, different lure websites are needed to be utilized to propagate infections. One of the best ways to achieve that is through compromised websites and by seamlessly redirecting browsing users to the exploit, a very common method used in the crimeware domain for years. Websense Security Labs™ noticed that there were some website injections that utilized CVE-2014-0322. In this case, in particular, we noticed that what will bring the best form of "revenue" to the actors behind those infections is not necessarily the quantity of compromised websites the exploit is served from, but rather, the quality, or in other words, the popularity of the compromised websites actors manage to get under their control can play a big part in maximizing the number of infections, and indeed we saw some popular websites utilizing this new zero-day in various ways.
A high profile website injected with code leading to the zero-day was a very popular transportation website in Japan called "Hatbus" @ hxxp://www.hatobus.co.jp/ which was first spotted by security researcher @PhysicalDrive0 on Feb 23rd 2014. "Hatbus" offers local residents and tourists bus travel information and other travel services. The website enjoys a weekly visit count of ~25,000 visits with a substantial amount if its traffic originating from referrals of other top travel websites in Japan:
[Images above are courtesy of similarweb.com]
[click to enlarge]
Interestingly enough, the exploit code was hosted on hatobus.co.jp as well, @ hxxp://www.hatobus.co.jp/images/ie.html, which means that the browsing user is lured and exploited under one domain. This approach takes the punch out of some security solutions since no suspicious redirects to other websites are in play. All the attack stages are served from one domain from start to finish.
Making it a classic case of a copycat, it was observed that the exploit code was identical to the one that was used by the cybersquatted website gifas.assso.net, but with one difference: there was an additional exploit served aimed at Java users and a counter set by the attackers to know exactly how many visiting users hit their malicious script. The Java exploit was referenced by an additional iFrame that would load a JAR file to take advantage of CVE-2013-2465. Upon successful exploitation, a file is dropped that appears to be a Banker that specifically targeting users of those Japanese banking websites: jp-bank.japanpost.jp & mizuhobank.co.jp.
[click to enlarge]
Additional high-profile websites that got compromised and served a "copycat" exploit for CVE-2014-0322 were the Taiwanese English School website (hxxp://www.english.com.tw) and the Hong Kong University Chemistry Department (hxxp://www.chemistry.hku.hk), the latter was again a case of using an iFrame to redirect browsing users to a copy of the exploit. It's interesting to note that on the Taiwanese English School website, the exploit was actually included on the *main* page of the website and no iFrame or other forms of redirect were encompassed. This bold approach has been seen before on compromised websites, however it's rare to see an exploit utilized in such a manner:
[click to enlarge]
It's evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries. We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it "evolved" in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected "under the radar" targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.
The usage of iFrame tags to seamlessly redirect users to malicious code is an old and popular method especially when a compromised website is used as a lure; iFrames are still used widely for legitimate purposes over the web. We don't see a reason why this trend will cease to be a popular choice as a way to redirect to malicious code by malware actors. This on-going and quite old trend may raise some questions from the defensive side: how can the ongoing phenomena of malicious iFrames be answered? They have long been a popular method of choice in the arsenal of actors behind crimeware and targeted attacks. To tackle the subject, one requires a close familiarity with the "ins and outs" of the web. It's a challenge to distinguish a legitimate iFrame from a malicious one since both may have similar suspicious traits. However, it is possible to distinguish malicious iFrames from legitimate by calculating the probability of a malicious outcome through the different contexts that are available in real-time. The more context available, the better the accuracy can be; context can be, for example, where is the iFrame leading the user to? What are the different iFrame tag features? What website served the iFrame? Is it in a risk category? Was it compromised before? Websense Advanced Classification Engine, or ACE, has a dedicated engine designated to detect malicious iFrames and can assess the context of an iFrame and if the elements are found to pose a potential risk the redirection to the iFrame is blocked in real-time; the approach is done through embedding a machine learning algorithm that allows ACE to reach a decision (see image of simplified process below).
While it's important to employ security solutions to protect against cyber-attacks, it's also important to remember to update your local software and patch your operating system. The patch Tuesday advance notification for fixing CVE-2014-0322 can be found here.
Read more »
MSIE 0-day Exploit CVE-2014-0322 - Possibly Targeting French Aerospace Association
Posted by AlexWatson on 14 February 2014 07:54 AM
CVE-2014-0322 Attack Analysis
Contributors: Alex Watson, Victor Chin - Websense Security Labs
Websense Security Labs ThreatSeeker telemetry has confirmed the existence of the Microsoft Internet Explorer 10 0-day exploit CVE-2014-0322 beginning as early as January 20 2014, predating the previously believed first use by nearly three weeks.
The CVE-2014-0322 exploit has been seen hosted and delivered from the following URL, which was first seen by Websense on January 20, 2014:
hxxp://gifas.assso.net is presumably a fake site meant to look like hxxp://gifas.asso.fr, which is a French aerospace association:
GIFAS, the French aerospace industries association, has more than 300 members, from major prime contractors and system suppliers to small specialist companies. Activities extend from civil and military aircraft and helicopters to engines, missiles and armament, satellites and launch vehicles, plus aerospace, defence and security major systems, equipment, subassemblies and associated software.
The use of the very similar domain name may indicate that the French aerospace association is the target, but this domain does not appear to be a campaign with active lures, yet.
Domain History for assso.net
An anonymous DNS registration service was originally used to register the domain "assso.net" which was updated to direct users to the malicious site on January 20, 2014.
Name Servers: NS05.DOMAINCONTROL.COM|NS06.DOMAINCONTROL.COM
Registrar Name: GODADDY.COM, LLC
As of January 28, 2014 gifts.assso.net resolved to 188.8.131.52. This IP address is geolocated to Santa Clara, Calif. We noticed the SHA1 for Tope.swf being uploaded to VirusTotal on January 20 (the same day as the fake gifas.assso.net site was set up), with no detection at the time by AV vendors. Presumably this was done by the attackers to check AV coverage for their malware before starting their attacks, further indicating that January 20 was the initial rollout of this campaign of attacks using this 0-day.
Similarity with other observations of CVE-2014-0322
As is in the HTTP stream shown below, visitors going to hxxp://gifts.assso.net are linked to include.html, which sets up the ROP exploit and "Tope.swf" Shockwave Flash file (SHA1: 910de05e0113c167ba3878f73c64d55e5a2aff9a) which is utilized after the CVE-2014-0322 use after free vulnerability to access memory through ActionScript in the SWF file.
Checking for Microsoft's Exploit Mitigation Toolkit
var steeple ="<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'res://C:\\windows\\AppPatch\\EMET.DLL'>";
Malicious Content in Tope.swf Shockwave Flash File
Below is code located in the Tope.SWF that leads to a second stage dropper called "Erido.jpg". Code snippet below :
The code above shows the Shockwave Flash ActionScript downloading content but not actually storing it to a file. The follow-on code below shows a buffer being written and read as "little endian" to denote the order for the byte array to be executed. The _local(x) variables look to be calculations in memory which makes us believe this is an "in memory" only attack, presumably to make antivirus detection more difficult.
Analysis of the Malicious ActionScript (AS3) Code
Below is the use after free type vulnerability that is triggered when the Vector class is allocated / freed
In the code above, the string:
appears to be the culprit responsible for causing the vulnerability to return to malicious memory space allocated.
Links to DeputyDog and EphemeralHydra Campaigns
The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been covered by FireEye. More detailed analysis coming soon.
If you are concerned about your exposure to this vulnerability due to the use of Microsoft Internet Explorer 10 we would recommend that you consider upgrading to Internet Explorer 11. You can find out more information at Microsoft's IE page here.
This attack is known to check for the presence of Microsoft's Enhanced Mitigation Experience Toolkit (EMET). If it is found then the exploit attempt terminates. You can find out more about how to deploy EMET in Microsoft's overview here and the EMET knowledge base article.
Read more »