Websense Security Labs has seen a new zero-day exploit for Internet Explorer used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as August 23, 2013. The publication of the vulnerability details (CVE-2013-3897) were shared by Microsoft in advance of today’s patch for the vulnerability that is now available for download.
Websense ThreatSeeker Intelligence Cloud was able to correlate those attacks and create a profile about targeted geographical locations where attacks began as well as targeted industries, which will be described later in this post.
The vulnerability is caused by a use-after-free error when processing CDisplayPointer objects within mshtml.dll and generically triggered by the onpropertychange event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page. The specific exploit that has been seen uses heap-spray to allocate some memory that employs an ROP technique around the 0x14141414 address (as confirmed by the Microsoft Security Response Center).
The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea. The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure < x.x.x.x>/mii/guy2.html.
A URL was also spotted with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way. Those attacks were launched at the end of August this year. Here is a snippet of the page located at hxxp://1.234.31.142/mii/guy2.html. In the case of CVE-2012-4792 in this campaign, it looks like there were no conditional checks for the operating system, browser, and language prior to serving the exploit, which means it was served to the target unconditionally.
Looking at the broader picture and taking into account all the related attacks that have been observed to be served from the IP range 1.234.31.x/24, it was found some interesting information that can shed more light on the high-level agenda held by the perpetrators in this campaign. An interesting find is that this attack campaign is global; although, as described earlier, attack pages check whether the operating system’s language is either Japanese or Korean before issuing the CVE-2013-3897 exploit. It looks like the geolocation of targeted entities of Korean or Japanese origin are not just limited and based in those countries.
For example, one entity that belongs to the Engineering and Construction industry has been targeted in the U.S. as one of its locations. In addition, as mentioned before, those who use CVE-2012-4792 didn’t employ any conditional checks before issuing the exploit, so that meant the potential targets in that case could be more varied. It was found that with this campaign, a government entity located in the U.S. was targeted with CVE-2012-4792.
Websense telemetry indicates that the CVE-2013-3897 exploit has been hosted on servers in Seoul, South Korea at IP addresses 1.234.31.153, 1.234.31.142 and 1.234.31.154. It has been seen that this exploit is targeting computers located in the United States, Hong Kong, and Seoul, South Korea.
It appears that the perpetrators behind this campaign target entities that belong to different industries over a selected set of geolocations, which reaffirms the notion that these kinds of campaigns operate on a global scale and focus on a variety of industries that are not necessarily related. The perpetrators behind these campaigns are innovative and employ zero-day exploit code, but it also appears that their work is customized for their targets since it was witnessed that the older exploits that have already been patched are being used in selected attacks.
