Researchers: IE flaw being exploited by group behind Aurora attacks
Security researchers at Symantec have traced recent exploits of a zero-day flaw in older versions of Internet Explorer to a group it calls the Elderwood gang, whose previous attacks have included the Google Aurora attacks that have been traced to China.
An analysis of the watering hole attacks carried out against the IE flaw — for which Microsoft has issued at Fix-It workaround but not yet a patch — found similarities to previous Elderwood exploits, Symantec researchers wrote in a blog post. Among the similarities were a Flash exploit and several mentions of “HeapSpary,” which researchers said was a mistyping of Heap Spray, a common step in attacks.
Microsoft had issued an advisory Dec. 29, warning of the flaw in IE 6, 7 and 8 in certain configurations, and directing users and admins to a Fix-It for the problem. Microsoft’s next Patch Tuesday update, due Jan. 8, is not expected to include a fix for the flaw.
The vulnerability was first noticed as part of watering-hole attacks against websites of the Council on Foreign Relations’ and an energy equipment manufacturer, Capstone Turbine Corp. Microsoft said in its advisory that it was aware of only a few targeted attacks exploiting the flaw.
Symantec’s discovery of links to Elderwood raises the specter, at least, that the exploits could be part of a state-sponsored campaign. The company has tracked the group, also known as Aurora, since its attacks on Google and 33 other companies in 2009. In September 2012, Symantec issued a report saying the group had remained active, employing an unprecedented number of zero-day attacks that “indicates access to a high level of technical capability.”
Although Symantec’s report did not speculate on the origin of the attacks, Google and others have said the Aurora attacks came from within China.
Symantec’s report said the Aurora/Elderwood group was targeting defense and supply-chain contractors, human-rights groups, non-governmental organizations, IT services providers and other industries.
“Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property,” the report said. “The resources required to identify and acquire useful information—let alone analyze that information — could only be provided by a large criminal organization, attackers supported by a nation state or a nation state itself.”
In addition to its Fix-It, Microsoft has recommended high security zone settings for Internet and intranet zones, adding trusted sites to IE’s Trusted Sites zone and either disabling Active Scripting or configuring IE to prompt users before running Active Scripts.
Posted by Kevin McCaney on Jan 07, 2013 at 11:52 AM