The recent revelation of a new Internet Explorer 0-day (CVE-2013-3893) focused on attacks against select Japanese companies. New research by the Websense Security Labs reveals several new discoveries, including:
· In the last few days, Websense has intercepted new targeted attacks on Japanese financial firms, using the IE exploit.
A command and control server (C&C) used in these zero-day attacks has now been documented as part of an attack against a Taiwanese technology company as early as July 1, 2013, predating the first acknowledged IE zero-day attack by six weeks.
This also indicates the attackers are conducting ongoing campaigns across the region. Commonalities in the series of attacks link these episodes to the Operation DeputyDog and Hidden Lynx attack crew(s).
The Hidden Lynx hackers-for-hire crew has allegedly committed multiple data-stealing attacks against businesses dating back to 2009. At the moment, they appear to be focused on targeting Asia Pacific companies.
A full analysis of the most recent attacks may be found on the Websense Security Labs blog.
Would you be interested in speaking with a Websense spokesperson about this latest discovery? Please let me know if you are available and I will gladly arrange a telephone call.
Canned comment to be attributed to Carl Leonard:
“The creation of a zero-day vulnerability takes considerable time and resources. Today’s discoveries suggest that the actors are using this exploit to specifically target companies in APAC. Websense estimates that close to 70 percent of Windows-based PCs are vulnerable to this exploit. Given the huge attack surface, the actors behind these campaigns are racing to target companies before a patch becomes available.
In addition, we anticipate that as more information of this zero day comes to light, the exploit will be weapon zed and packaged into exploit kits rapidly, greatly increasing the number of attackers with access to this exploit.
All is not lost. Even zero day attacks fall into an attack pattern. When you take the approach of looking at the entire attack chain for suspicious behavior, rather than waiting and hoping to catch something on the last step of the process, you have many more opportunities to spot and disrupt an attack - even if it's malware you've never seen before.
Websense strongly encourages IT administrators to install the Microsoft FixIt patch to stop the vulnerability while waiting for a formal patch from Microsoft.”
