Less than a week after uncovering Operation SnowMan, the FireEye Dynamic Threat Intelligence cloud has identified another targeted attack campaign — this one exploiting a zero-day vulnerability in Flash. We are collaborating with Adobe security on this issue. Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a security bulletin.
As of this blog post, visitors to at least three nonprofit institutions — two of which focus on matters of national security and public policy — were redirected to an exploit server hosting the zero-day exploit. We’re dubbing this attack “Operation GreedyWonk.”
We believe GreedyWonk may be related to a May 2012 campaign outlined by ShadowServer, based on consistencies in tradecraft (particularly with the websites chosen for this strategic Web compromise), attack infrastructure, and malware configuration properties.
The group behind this campaign appears to have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters.
On February 11, FireEye identified a zero-day exploit (CVE-2014-0322) being served up from the U.S. Veterans of Foreign Wars’ website (vfw[.]org). We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra).
This blog post examines the vulnerability and associated attacks, which we have dubbed “Operation SnowMan.”
In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox. CVE-2013-3346 was exploited to execute the attacker’s code in the sandbox-restricted Reader process, where CVE-2013-5065 was exploited to execute more malicious code in the Windows kernel.
In this post, we aim to describe the in-the-wild malware sample, from initial setup to unrestricted code execution.
CVE-2013-3346: Adobe Reader ToolButton Use-After-Free
CVE-2013-3346 was privately reported to ZDI by Soroush Dalili, apparently in late 2012. We could fine no public description of the vulnerability. Our conclusion that the sample from the wild is exploiting CVE-2013-3346 is based upon the following premises:
- CVE-2013-3346 is a use-after-free condition with ToolButton objects.
- The Adobe Reader patch that addresses CVE-2013-3346 also stops the in-the-wild exploit.
CVE-2013-3346 Exploitation: Technical Analysis
- Make a parent ToolButton with a callback CB
- Within the callback CB, make a child ToolButton with a callback CB2
- Within the callback CB2, free the parent ToolButton
FireEye Labs has identified a new Windows local privilege escalation vulnerability in the wild. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP.
This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit.
Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it.
The following actions will protect users from the in-the-wild PDF exploit:
1) Upgrade to the latest Adobe Reader
2) Upgrade to Microsoft Windows 7 or higher
This post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities. Microsoft assigned CVE-2013-5065 to this issue.
We will continue to update this blog as new information about this threat is found.
[Update]: Microsoft released security advisory 2914486 on this issue.
FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It’s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.
The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of
msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of
msvcrt.dll. This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9.
The memory access vulnerability is designed to work on Windows XP with IE 7 and 8, and on Windows 7. The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10. This actual attack of this memory access vulnerability can be mitigated by EMET per Microsoft’s feedback.
This exploit has a large multi-stage shellcode payload. Upon successful exploitation, it will launch
CreateProcess), and inject and execute its second stage (with
CreateRemoteThread). The second stage isn’t written to a file as with most common shellcode, which usually downloads an executable and runs it from disk.
In summary, this post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities.
We will continue to update this blog as new information about this threat is found. FireEye would like to acknowledge and thank iSIGHT Partners for their assistance in this research.
[Update 12-20-2013]: Microsoft release a security bulletin, assigned CVE-2013-3918 and CVE-2014-0266 to this issue.
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
In our previous blog post my colleagues Ned and Nart provided a detailed analysis on the Advanced Persistent Threat (APT) Campaign Operation DeputyDog. The campaign leveraged a zero-day vulnerability of Microsoft Internet Explorer (CVE-2013-3893). Microsoft provided an advisory and ‘Fix it’ blog post.
I am happy to announce that Xiaobo Chen, a well-known security researcher, has recently joined FireEye Labs. We worked together on the analysis of this zero-day vulnerability. In this blog, we will provide a deep dive on the exploitation part of the campaign. Continue reading