Researchers reveal IE zero-days after hackers set 'watering hole' traps

Memory-resident malware targeted visitors to security policy website

Security researchers have uncovered two unpatched vulnerabilities in Internet Explorer (IE) which have been exploited by attackers in an unusual "watering hole" campaign launched from a U.S.-based website that specializes in domestic and international security policy.

Microsoft said that it was investigating the reports of IE "zero-day" bugs.

According to FireEye of Milpitas, Calif., the flaws exist in Internet Explorer IE7, IE8, IE9 and IE10, with attacks seen in the wild against all but 2012's IE10. PCs running Windows XP or Windows 7 have been compromised.

"The attack is fairly precise in its targeting methods," said Darien Kindlund, manager of threat intelligence at FireEye, in an interview Monday. "The watering hole attack was set up [to trigger] only at certain times and [on PCs] from certain locations on the network. [The attackers] controlled this access so tightly because the attack was a completely memory-based type of payload."

In a watering hole attack, cyber criminals identify likely targets, even to the individual level, then scout out which websites they frequently visit. Next the attackers compromise one or more of those sites, plant malware on them, and like lions hunker down at a watering hole, snare victims who browse there.

Kindlund declined to name the watering hole website, but said that its theme was domestic and foreign security policy.

Users who surfed to the site with IE during the hours when the attack "window" was open, and whose IP addresses identified them as valuable targets, would have had their Windows machines silently hijacked.

The attacks were unusual. The exploits left no trace on the computer's hard disk drive. Instead, the hackers loaded the attack code directly into memory, where it executed. Because the payload was non-persistent, it vanished when the PC was restarted, a process that wipes clean system memory.

In-memory attacks like this have been seen before, but as far as FireEye knew, only in exploits originating from sophisticated organized crime groups trying to steal money from victims' bank accounts. "This type of memory-resident attack has not been seen before in targeted attacks that appear to be linked to threat actors who may or may not have ties to nation states," said Kindlund.

The advantages of an ephemeral exploit is that it's much more difficult to detect -- "There's very little footprint," said Kindlund -- and thus extremely hard to figure out which PCs have been compromised.

"The cons are that there's a degradation of reliability of the exploit," said Kindlund, "because once the end-point [PC] is compromised, the attackers have to have operators available."

Since the hijacked PC returns to a non-compromised state after a reboot, the hackers had to be prepared, with someone ready to jump in and begin searching for information to steal. "It's not automated," said Kindlund of the data-stealing process. "A human has to drive the RAT [remote access tool] to exfiltrate data or move laterally through the network [to look for data]."

The data thieves had to work fast, again because the potential for a PC restart, which would erase the malware. The attack window was opened early in the workday, local time, in order to maximize the amount of time the hackers had. Most users don't reboot their computers during the workday, and turn them off, if at all, only at the end of the day.

Kindlund speculated that the hackers chose the memory-resident attack technique to safeguard the zero-day vulnerabilities they exploited, a tactic that in this case, at least, didn't work.

"They were willing to accept the trade-off [of potentially losing the PC compromise] because they did not want these zero-day vulnerabilities to be discovered this easily," Kindlund said. "If they were going to employ them, they wanted to be cautious ... the more times they used them, the more likely that they would be discovered and patched."

On a post to the FireEye blog on Sunday, four researchers spilled details of the attack code. They also noted a possible link via the malware's command-and-control infrastructure to a hacking campaign from August 2013 that the security vendor had dubbed "Operation DeputyDog."

DeputyDog in turn had been connected to the hackers who in February infiltrated the corporate network of Bit9, a Waltham, Mass. security vendor, issued themselves valid digital certificates and then used those certificates to infect the networks of several Bit9 customers.

On Monday, however, Kindlund was hesitant to claim that the same group responsible for DeputyDog and the Bit9 breach was also behind the latest attacks. "We like to take a cautious stance before linking an attack to a group. We want at least three linkages, but so far we have only one [to DeputyDog]," said Kindlund. "It's a significant finding, but the link could mean it's the same threat actor or that two different threat actors are using the same command-and-control infrastructure."

Microsoft declined to confirm FireEye's finding, but a spokesperson emailed a short statement that read, "We are actively looking into this issue and will take appropriate action to help protect customers."

Kindlund defended FireEye's decision to publicly reveal the zero-days, even some of the technical details of the attack campaign. Microsoft prefers researchers not do that before a problem has been patched.

"We had to make a trade-off between the interests of Microsoft with the interests of the general public, who needed to be aware that targeted attacks using these vulnerabilities were in the wild," Kindlund said.

Microsoft will issue its November slate of security updates tomorrow at around 10 a.m. PT (1 p.m. ET), and will be including one or more patches for IE. However, unless Microsoft's security team knew of the flaws long before FireEye reported them, it's very unlikely that they will be fixed Tuesday.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingMicrosoftsecurityFireEyeMalware and Vulnerabilities

More about AppleFireEyeMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place