Earlier this month we blogged about a new Internet Explorer 10 zero-day vulnerability that was targeted in a recent watering hole attack. The attackers took advantage of a previously undiscovered zero-day flaw known as the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322). At the time, the attackers delivered the exploit code for the zero-day vulnerability through compromised sites, intending to target a limited audience. Since then, we have continued to closely monitor attacks focusing on CVE-2014-0322. We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes.
Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world. Our telemetry shows both targeted attacks and drive-by downloads in the mix.
Figure 1. Attacks targeting CVE-2014-0322 around the world
Users visiting Japanese sites have particularly been targeted. This is mainly because multiple sites were compromised to host the drive-by download. The following sites were compromised in these attacks.
- A community site for mountain hikers
- An adult dating service site
- A website promoting language education
- A website providing financial market information
- An online shopping site
- A website of a Japanese tour provider
We believe that the same attacker undertook the majority of the attacks, based on the file components used.
Figure 2. Computers targeted with CVE-2014-0322 exploit code by region
These websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks. Symantec detects this threat as Infostealer.Bankeiya.
Figure 3. Fake login screen for Mizuho Bank asking for a pin number
Figure 4. Fake login screen for Japan Post bank asking for a PIN number
How to stay protected from the attacks
Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:
Symantec also encourages users to apply all relevant patches when they are available. Symantec protects customers against this attack with the following detections:
- Trojan Horse
Intrusion Prevention Signatures
We will likely to continue to see an uptick in attacks exploiting this vulnerability, so we urge everyone to take action immediately.