Update: Microsoft to patch just-revealed Windows zero-day tomorrow
Memory-resident malware triggered when users running IE browsed to 'watering hole' website
Computerworld - Security researchers have uncovered an unpatched vulnerability in Windows that has been exploited by attackers in an unusual "watering hole" campaign launched from a U.S.-based website that specializes in domestic and international security policy.
Monday afternoon, Microsoft confirmed that it will patch the flaw tomorrow as part of its regularly-scheduled monthly security updates. According to Microsoft, the bug is in all supported client editions of Windows, ranging from the 12-year-old Windows XP to the just-released Windows 8.1.
Over the weekend, security vendor FireEye of Milpitas, Calif. said that the bug had been exploited through Internet Explorer 7 (IE7), IE8, IE9 and IE10, and attacks had been seen in the wild against PCs running either Windows XP or Windows 7.
"The attack is fairly precise in its targeting methods," said Darien Kindlund, manager of threat intelligence at FireEye, in an interview early Monday. "The watering hole attack was set up [to trigger] only at certain times and [on PCs] from certain locations on the network. [The attackers] controlled this access so tightly because the attack was a completely memory-based type of payload."
In a watering hole attack, cyber criminals identify likely targets, even to the individual level, then scout out which websites they frequently visit. Next the attackers compromise one or more of those sites, plant malware on them, and like lions hunker down at a watering hole, snare victims who browse there.
Kindlund declined to name the watering hole website, but said that its theme was domestic and foreign security policy.
Users who surfed to the site with IE during the hours when the attack "window" was open, and whose IP addresses identified them as valuable targets, would have had their Windows machines silently hijacked.
The attacks were unusual. The exploits left no trace on the computer's hard disk drive. Instead, the hackers loaded the attack code directly into memory, where it executed. Because the payload was non-persistent, it vanished when the PC was restarted, a process that wipes clean system memory.
In-memory attacks like this have been seen before, but as far as FireEye knew, only in exploits originating from sophisticated organized crime groups trying to steal money from victims' bank accounts. "This type of memory-resident attack has not been seen before in targeted attacks that appear to be linked to threat actors who may or may not have ties to nation states," said Kindlund.
The advantages of an ephemeral exploit is that it's much more difficult to detect -- "There's very little footprint," said Kindlund -- and thus extremely hard to figure out which PCs have been compromised.
"The cons are that there's a degradation of reliability of the exploit," said Kindlund, "because once the end-point [PC] is compromised, the attackers have to have operators available."
Since the hijacked PC returns to a non-compromised state after a reboot, the hackers had to be prepared, with someone ready to jump in and begin searching for information to steal. "It's not automated," said Kindlund of the data-stealing process. "A human has to drive the RAT [remote access tool] to exfiltrate data or move laterally through the network [to look for data]."
The data thieves had to work fast, again because of the possibility of a PC restart, which would erase the malware. The attack window was opened early in the workday, local time, in order to maximize the amount of time the hackers had. Most users don't reboot their computers during the workday, and turn them off, if at all, only at the end of the day.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts