Internet Explorer Zero-Day Exploit Reportedly Exploited in Targeted Attacks

Researchers from Chinese internet security firm Qihoo 360 have uncovered a sophisticated targeted attack which, according to them, exploits an unpatched vulnerability in Microsoft’s Internet Explorer browser.

The company made the announcement in a short Twitter message and said that it shared technical details about the flaw with Microsoft. A bit more information about the attack was published in a Chinese-language post on Weibo.

The vulnerability, which Qihoo 360 has named “double kill,” is supposedly located in Internet Explorer but is exploited through a Microsoft Word document that embeds a malicious web page. The vulnerability affects not only the latest versions of Internet Explorer but also the applications that make use of its HTML rendering engine such as Microsoft Word, according to the company’s researchers.

The targeted attack that currently exploits this vulnerability is perpetrated by a known advanced persistent threat (APT) group and distributes a trojan that allows attackers to take control computers. The last phase of the exploit uses a known technique to bypass the Windows User Account Control (UAC) prompt.

The attack also makes use of sophisticated techniques such as file steganography, memory reflection and fileless code loading, the 360 researchers said, adding that the exploit code and payload are loaded from a remote server.

Microsoft has a lot of information on how to strengthen Office against document attacks, including using the Protected View mode in Office 2016. However, there is always the chance that a document could exploit a previously unknown and unpatched—zero-day—vulnerability, like in this case, so users should always be wary of opening documents from untrusted sources.

Microsoft has yet to publicly confirm the vulnerability reported by Qihoo 360 and it’s not clear if it will release an out-of-band patch to fix it or wait until next month’s Patch Tuesday. The company only breaks out of its regular patch cycle to fix vulnerabilities that are at a high risk of being exploited in widespread attacks.

Sophisticated Attack Group Targets Healthcare Sector

Over the past three years, a group of hackers has aggressively targeted healthcare organizations in the United States, Europe and Asia, infecting their computers and networks with a backdoor program, according to researchers from Symantec.

The group, which the researchers have dubbed Orangeworm, has operated since at least January 2015, but there’s no evidence to suggest it’s state-sponsored. Its primary tool is a Trojan program called Kwampirs that spreads through network shares and allows attackers to execute commands and gather information from computers.

“The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack,” the Symantec researchers said in a report.

The group has also compromised organizations from other industries including manufacturing, IT and logistics, but Symantec believes this was part of a larger supply-chain attack in which the targets were chosen because they could serve as an entry-point into healthcare-related organizations.

“While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” the researchers said.

The group’s end goal is not clear, but its Kwampirs malware was found installed on computers that control high-tech imaging devices such as x-ray and MRI machines and systems used to assist patients in completing consent forms for required procedures.

Using network shares to propagate inside local networks is an old and well-known method that’s somewhat noisy, so the attackers probably don’t care too much about remaining undiscovered. However, this technique can be very effective against machines running legacy operating systems such as Windows XP, which is still prevalent in the healthcare industry.

Featured eBook
A Hindsight Look at The Equifax Breach

A Hindsight Look at The Equifax Breach

In this whitepaper you will understand the root cause of this breach and how it could have been easily prevented, learn how to detect open source vulnerabilities in real-time for quick remediation and get a detailed implementation plan to ensure your organization won’t become the next Equifax. This complimentary download is offered by WhiteSource. Download Now ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 182 posts and counting.See all posts by lucian-constantin