Archive for November, 2013

Watering Hole is a computer attack strategy identified in 2012 by the RSA security firm. The attacker wants to attack a particular group (organization, industry, or region). The attack consists of three phases:

  • Guess (or observe) which websites the group often uses.
  • Infect one or more of these websites with malware.
  • Eventually, some member of the targeted group will get infected.

Relying on websites the group trusts makes this strategy efficient even with groups that are resistant to spear phishing and other forms of phishing.

Ref : http://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/

Advertisements

The discovery was announced just a few days after Microsoft revealed the Microsoft Zero-day CVE-2013-3906, a Zero-day vulnerability in Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email.

Microsoft graphics component zero-day vulnerability allows attackers to install amalware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008.

Recently reported new Internet Explorer zero-day vulnerability detected by FireEye affects the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, but according the experts it can be easily changed to leverage other languages.

FireEye confirmed that the exploit recently detected leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution, that attackers use the timestamp from the PE headers ofmsvcrt.dll to select the proper exploit.

“The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll.” explained the researcher Xiaobo Chen and Dan Caselden in the post published by FireEye.

The analysis conducted by the research team at FireEye revealed this IE zero-day affects IE 7, 8, 9 and 10, and as happened for the Microsoft Zero-day CVE-2013-3906 , it can be mitigated by EMET per Microsoft’s feedback.

Very interesting the shellcode, the exploit implements a multi-stage shellcode payload that upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage downloads an executable and run it from disk.

Source : securityaffairs.co