Pulse

By GCN Staff

Blog archive
Silhouette of computer user

Researchers: IE flaw being exploited by group behind Aurora attacks

Security researchers at Symantec have traced recent exploits of a zero-day flaw in older versions of Internet Explorer to a group it calls the Elderwood gang, whose previous attacks have included the Google Aurora attacks that have been traced to China.

An analysis of the watering hole attacks carried out against the IE flaw — for which Microsoft has issued at Fix-It workaround but not yet a patch — found similarities to previous Elderwood exploits, Symantec researchers wrote in a blog post. Among the similarities were a Flash exploit and several mentions of “HeapSpary,” which researchers said was a mistyping of Heap Spray, a common step in attacks.

Microsoft had issued an advisory  Dec. 29, warning of the flaw in IE 6, 7 and 8 in certain configurations, and directing users and admins to a Fix-It  for the problem. Microsoft’s next Patch Tuesday update, due Jan. 8, is not expected to include a fix for the flaw.

The vulnerability was first noticed as part of watering-hole attacks against websites of the Council on Foreign Relations’ and an energy equipment manufacturer, Capstone Turbine Corp. Microsoft said in its advisory that it was aware of only a few targeted attacks exploiting the flaw.

Symantec’s discovery of links to Elderwood raises the specter, at least, that the exploits could be part of a state-sponsored campaign. The company has tracked the group, also known as Aurora, since its attacks on Google and 33 other companies in 2009. In September 2012, Symantec issued a report saying the group had remained active, employing an unprecedented number of zero-day attacks that “indicates access to a high level of technical capability.”

Although Symantec’s report did not speculate on the origin of the attacks, Google and others have said the Aurora attacks came from within China.

Symantec’s report said the Aurora/Elderwood group was targeting defense and supply-chain contractors, human-rights groups, non-governmental organizations, IT services providers and other industries.

“Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property,” the report said. “The resources required to identify and acquire useful information—let alone analyze that information — could only be provided by a large criminal organization, attackers supported by a nation state or a nation state itself.”

In addition to its Fix-It, Microsoft has recommended high security zone settings for Internet and intranet zones, adding trusted sites to IE’s Trusted Sites zone and either disabling Active Scripting or configuring IE to prompt users before running Active Scripts.

Posted by Kevin McCaney on Jan 07, 2013 at 9:39 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.