By GCN Staff

Blog archive
Silhouette of computer user

Researchers: IE flaw being exploited by group behind Aurora attacks

Security researchers at Symantec have traced recent exploits of a zero-day flaw in older versions of Internet Explorer to a group it calls the Elderwood gang, whose previous attacks have included the Google Aurora attacks that have been traced to China.

An analysis of the watering hole attacks carried out against the IE flaw — for which Microsoft has issued at Fix-It workaround but not yet a patch — found similarities to previous Elderwood exploits, Symantec researchers wrote in a blog post. Among the similarities were a Flash exploit and several mentions of “HeapSpary,” which researchers said was a mistyping of Heap Spray, a common step in attacks.

Microsoft had issued an advisory  Dec. 29, warning of the flaw in IE 6, 7 and 8 in certain configurations, and directing users and admins to a Fix-It  for the problem. Microsoft’s next Patch Tuesday update, due Jan. 8, is not expected to include a fix for the flaw.

The vulnerability was first noticed as part of watering-hole attacks against websites of the Council on Foreign Relations’ and an energy equipment manufacturer, Capstone Turbine Corp. Microsoft said in its advisory that it was aware of only a few targeted attacks exploiting the flaw.

Symantec’s discovery of links to Elderwood raises the specter, at least, that the exploits could be part of a state-sponsored campaign. The company has tracked the group, also known as Aurora, since its attacks on Google and 33 other companies in 2009. In September 2012, Symantec issued a report saying the group had remained active, employing an unprecedented number of zero-day attacks that “indicates access to a high level of technical capability.”

Although Symantec’s report did not speculate on the origin of the attacks, Google and others have said the Aurora attacks came from within China.

Symantec’s report said the Aurora/Elderwood group was targeting defense and supply-chain contractors, human-rights groups, non-governmental organizations, IT services providers and other industries.

“Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property,” the report said. “The resources required to identify and acquire useful information—let alone analyze that information — could only be provided by a large criminal organization, attackers supported by a nation state or a nation state itself.”

In addition to its Fix-It, Microsoft has recommended high security zone settings for Internet and intranet zones, adding trusted sites to IE’s Trusted Sites zone and either disabling Active Scripting or configuring IE to prompt users before running Active Scripts.

Posted by Kevin McCaney on Jan 07, 2013 at 9:39 AM


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected