Chinese Hackers Suspected In Fresh IE Exploit

Microsoft has another new Internet Explorer exploit to deal with, after researchers uncovered a fresh attack delivered from a hacked website in the US, believed to be the work of Chinese threat actors.

The attack has been linked to Operation Aurora, which hit Google and other US firms in 2009, as well as the hack of security firm Bit9.

Described by FireEye as a “classic drive-by download attack”, it was seen delivering an exploit of a previously-unknown and unpatched information leakage flaw, and a fresh memory access vulnerability.

The targeted site was “strategically important”, and “known to draw visitors that are likely interested in national and international security policy”, FireEye said. The latest new vulnerabilities affect Internet Explorer versions 7 through 10 running on Windows XP and Windows 7 are affected.

Google hackers back again?

It’s believed the hackers have history in exploiting newly-discovered flaws. The attackers dropped the same malware, Hydraq, as seen in the infamous Aurora attacks that hit Google and a range of other US organisations in 2009. The “rat_UnInstall” string was also seen in both this latest attack and the Aurora hits. China-based hackers were suspected of carrying out the campaign.

The attack infrastructure also has links to Operation DeputyDog, which saw a range of Japanese organisations targeted by zero-day strikes. It was claimed those who carried out DeputyDog also breached security company Bit9.

“We do see connections between this attack and Operation Aurora in that it used similar techniques and malware tools. That said, a few different intrusion teams use these same techniques and tools therefore we cannot definitively conclude this attack was the work of the same group responsible for Operation Aurora. However, we do believe this group is Chinese,” FireEye researcher Ned Moran told TechWeekEurope.

“As we state in the blog the infected website catered to visitors interested in ‘international security policy’. Unfortunately, we cannot provide more specifics than that description.”

The latest attack, which emerged at the end of last week, delivered the payload in memory rather than writing it to disk straightaway. “This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods,” FireEye said in a blog post.

“The fact that the attackers used a non-persistent first stage payload suggests that they are confident in both their resources and skills.

“As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organisations.

“If the attacker did not immediately seize control of infected endpoints, they risked losing these compromised endpoints, as the endpoints could have been rebooted at any time – thus automatically wiping the in-memory Trojan.APT.9002 malware variant from the infected endpoint.”

Microsoft had not responded to a request for comment at the time of publication. It is currently working on a patch for a Windows flaw, which has been used in attacks on Pakistani organisations.

Are you a security expert? Try our quiz!