Microsoft on Friday confirmed a previously unknown vulnerability in Internet Explorer 8 that is believed to have been used to target people from the nuclear energy industry.
Microsoft has confirmed its popular IE 8 browser is vulnerable to attacks that can be launched from a compromised website. Successful exploitation can give the attacker complete control over a machine, depending on the victim’s user rights on the device.
One of at least nine hacked legitimate sites hosting the IE 8 zero day exploit was the Department of Labor’s “Site Exposure Matrices” website, according to security firm AlienVault, one of the first to report the attacks.
The DOL site is a repository of information about toxic substances present at US Department of Energy facilities and supports compensation claims, suggesting the intended targets were from the nuclear energy sector.
Researchers have labelled the malware campaign a watering-hole attack, where attackers select hosts to serve their exploit based a profile of website's visitors.
Alien Vault and security firm Invincea initially reported the hacked site was serving up an exploit for an older bug CVE-2012-4792, which affected IE 6 to IE8, however by Friday, Invicnea and another security firm FireEye discovered the attack was exploiting a new flaw that only affected IE 8.
Microsoft confirmed IE8 on Windows XP through to Windows 7 are vulnerable, as well as Windows Server 2003 to 2008. The company may release an out of band patch for the flaw, identified as CVE-2013-1347, but could also wait for its monthly Patch Tuesday cycle scheduled for May 14.
IE8 is two generations behind IE10, but remains popular, in part because it is the most modern browser supported on Windows XP and is supported through to Windows 7.
Researchers believe the attackers behind the DOL’s compromised site are the Chinese APT group known as DeepPanda, however CrowdStrike, the company that originally profiled the group, has been unable to confirm this.
CrowdStrike’s analysis shows that visitors to the compromised DOL page came from 37 different countries, but whether visitors were infected would depend on whether they were running IE8 or another browser.
Other sites compromised to serve the same exploit include several non-profit groups and institutes and a “big European company that plays in the aerospace, defence and security markets”, according to AlienVault.