Internet Explorer Zero-Day Exploit Reportedly Exploited in Targeted Attacks
Researchers from Chinese internet security firm Qihoo 360 have uncovered a sophisticated targeted attack which, according to them, exploits an unpatched vulnerability in Microsoft’s Internet Explorer browser.
The company made the announcement in a short Twitter message and said that it shared technical details about the flaw with Microsoft. A bit more information about the attack was published in a Chinese-language post on Weibo.
The vulnerability, which Qihoo 360 has named “double kill,” is supposedly located in Internet Explorer but is exploited through a Microsoft Word document that embeds a malicious web page. The vulnerability affects not only the latest versions of Internet Explorer but also the applications that make use of its HTML rendering engine such as Microsoft Word, according to the company’s researchers.
The targeted attack that currently exploits this vulnerability is perpetrated by a known advanced persistent threat (APT) group and distributes a trojan that allows attackers to take control computers. The last phase of the exploit uses a known technique to bypass the Windows User Account Control (UAC) prompt.
The attack also makes use of sophisticated techniques such as file steganography, memory reflection and fileless code loading, the 360 researchers said, adding that the exploit code and payload are loaded from a remote server.
Microsoft has a lot of information on how to strengthen Office against document attacks, including using the Protected View mode in Office 2016. However, there is always the chance that a document could exploit a previously unknown and unpatched—zero-day—vulnerability, like in this case, so users should always be wary of opening documents from untrusted sources.
Microsoft has yet to publicly confirm the vulnerability reported by Qihoo 360 and it’s not clear if it will release an out-of-band patch to fix it or wait until next month’s Patch Tuesday. The company only breaks out of its regular patch cycle to fix vulnerabilities that are at a high risk of being exploited in widespread attacks.
Sophisticated Attack Group Targets Healthcare Sector
Over the past three years, a group of hackers has aggressively targeted healthcare organizations in the United States, Europe and Asia, infecting their computers and networks with a backdoor program, according to researchers from Symantec.
The group, which the researchers have dubbed Orangeworm, has operated since at least January 2015, but there’s no evidence to suggest it’s state-sponsored. Its primary tool is a Trojan program called Kwampirs that spreads through network shares and allows attackers to execute commands and gather information from computers.
“The group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack,” the Symantec researchers said in a report.
The group has also compromised organizations from other industries including manufacturing, IT and logistics, but Symantec believes this was part of a larger supply-chain attack in which the targets were chosen because they could serve as an entry-point into healthcare-related organizations.
“While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” the researchers said.
The group’s end goal is not clear, but its Kwampirs malware was found installed on computers that control high-tech imaging devices such as x-ray and MRI machines and systems used to assist patients in completing consent forms for required procedures.
Using network shares to propagate inside local networks is an old and well-known method that’s somewhat noisy, so the attackers probably don’t care too much about remaining undiscovered. However, this technique can be very effective against machines running legacy operating systems such as Windows XP, which is still prevalent in the healthcare industry.
Pingback: Microsoft Patches Two Actively Exploited Zero-Day Vulnerabilities - Security Boulevard