Internet Explorer Zero-Day Exploit Reportedly Exploited in Targeted Attacks

Researchers from Chinese internet security firm Qihoo 360 have uncovered a sophisticated targeted attack which, according to them, exploits an unpatched vulnerability in Microsoft’s Internet Explorer browser.

The company made the announcement in a short Twitter message and said that it shared technical details about the flaw with Microsoft. A bit more information about the attack was published in a Chinese-language post on Weibo.

The vulnerability, which Qihoo 360 has named “double kill,” is supposedly located in Internet Explorer but is exploited through a Microsoft Word document that embeds a malicious web page. The vulnerability affects not only the latest versions of Internet Explorer but also the applications that make use of its HTML rendering engine such as Microsoft Word, according to the company’s researchers.

The targeted attack that currently exploits this vulnerability is perpetrated by a known advanced persistent threat (APT) group and distributes a trojan that allows attackers to take control computers. The last phase of the exploit uses a known technique to bypass the Windows User Account Control (UAC) prompt.

The attack also makes use of sophisticated techniques such as file steganography, memory reflection and fileless code loading, the 360 researchers said, adding that the exploit code and payload are loaded from a remote server.

Microsoft has a lot of information on how to strengthen Office against document attacks, including using the Protected View mode in Office 2016. However, there is always the chance that a document could exploit a previously unknown and unpatched—zero-day—vulnerability, like in this case, so users should always be wary of opening documents from untrusted sources.

Microsoft has yet to publicly confirm the vulnerability reported by Qihoo 360 and it’s not clear if it will release an out-of-band patch to fix it or wait until next month’s Patch Tuesday. The company only breaks out of its regular patch cycle to fix vulnerabilities that are at a high risk of being exploited in widespread attacks.

Sophisticated Attack Group Targets Healthcare Sector

Over the past three years, a group of hackers has aggressively targeted healthcare organizations in the United States, Europe and Asia, infecting their computers and networks with a backdoor program, according to researchers from Symantec.

The group, which the researchers have dubbed Orangeworm, has operated since at least January 2015, but there’s no evidence to suggest it’s state-sponsored. Its primary tool is a Trojan program called Kwampirs that spreads through network shares and allows attackers to execute commands and gather information from computers.

“The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack,” the Symantec researchers said in a report.

The group has also compromised organizations from other industries including manufacturing, IT and logistics, but Symantec believes this was part of a larger supply-chain attack in which the targets were chosen because they could serve as an entry-point into healthcare-related organizations.

“While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” the researchers said.

The group’s end goal is not clear, but its Kwampirs malware was found installed on computers that control high-tech imaging devices such as x-ray and MRI machines and systems used to assist patients in completing consent forms for required procedures.

Using network shares to propagate inside local networks is an old and well-known method that’s somewhat noisy, so the attackers probably don’t care too much about remaining undiscovered. However, this technique can be very effective against machines running legacy operating systems such as Windows XP, which is still prevalent in the healthcare industry.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 150 posts and counting.See all posts by lucian-constantin