Microsoft and Adobe have issued emergency fixes to address two separate zero-day exploits in Internet Explorer and Flash, respectively, both of which have been observed in active attack campaigns.
Adobe issued an updated version of its Flash Player software Thursday to address the previously undisclosed CVE-2014-0502, discovered by Milpitas, Calif.-based security vendor FireEye Inc., along with two other exploits. Adobe gave the Flash update a priority rating of 1, meaning the software giant is aware of attackers actively utilizing the vulnerability and recommends administrators install the update within 72 hours.
In a blog post detailing the discovery, FireEye researchers said they discovered the Flash zero-day exploit being served up through a malicious redirect from websites for three nonprofit organizations: the Peter G. Peterson Institute for International Economics, the American Research Center in Egypt and the Smith Richardson Foundation. The nature of the compromised sites means that attackers are likely targeting government employees focused on national defense and public policy, FireEye noted, leading them to name this particular attack campaign GreedyWonk.
The GreedyWonk attacks utilize only "known ASLR bypasses," according to FireEye, based on hardcoded return-oriented programming chains. Included in recent Windows versions, ASLR is a security mechanism that randomizes the location where system executables are loaded into the memory, with the intention of breaking malware that scans for specific files in a system's memory.
Once compromised, attackers are installing the PlugX/Kaba remote access Trojan (RAT) on victims' machines. FireEye researchers noted that the PlugX sample was compiled just a day before they observed it on February 13, leading them to believe it was built specifically for this campaign.
Further analysis of the command-and-control infrastructure utilized in the GreedyWonk campaign uncovered connections to past attacks against similar targets that deployed the infamous Poison Ivy RAT.
"We found a related Poison Ivy sample (MD5 8936c87a08ffa56d19fdb87588e35952) with the same "java7" password, which was dropped by an Adobe Flash exploit (CVE-2012-0779)," FireEye said. "In this previous incident, visitors to the Center for Defense Information website -- also an organization involved in defense matters -- were redirected to an exploit server at 220.127.116.11."
FireEye said that the Flash exploit targets only three specific configurations on victims' machines, including those still running the Windows XP operating system, as well as Windows 7 users running Java 1.6 and outdated versions of Microsoft Office 2007 and 2010. Java 1.6 no longer receives security updates, and FireEye noted that the specific ASLR bypass being used to target Office in the wild was fixed by Microsoft in later versions, so users of those software versions should upgrade to mitigate this specific attack.
"These mitigations do not patch the underlying vulnerability," FireEye said. "But by breaking the exploit's ASLR-bypass measures, they do prevent the current in-the-wild exploit from functioning."
Separately, Microsoft took action Thursday to provide a temporary mitigation for a zero-day exploit found in Internet Explorer 9 and 10. Security Advisory 2934088 provides a one-click "Fix it" patch to address known exploit techniques, said Microsoft, but users of IE 9 and IE 10 would be wise to upgrade to IE 11, because its latest browser is not currently affected by the vulnerability. Use of Microsoft's Enhanced Mitigation Toolkit Experience also reportedly mitigated the exploit.
Originally discovered by FireEye researchers last week, the IE zero-day exploit, CVE-2014-0322, was being used as part a watering-hole attack campaign, labeled Operation SnowMan, with visitors to the U.S. Veteran of Foreign Wars (VFW) website being targeted. Similar to the Flash zero-day exploit, attackers inserted a malicious iFrame into the HTML of the VFW website, causing a redirect to another site; it was speculated to be aliststatus.com at the time, where the exploit was triggered on victims' machines. FireEye said the IE exploit utiliized a previously unknown "use-after-free" bug, allowing them to bypass ASLR by modifying "one byte of memory at arbitrary address."