Hackers exploit IE flaw to launch fresh cyber attack

14 Feb 2014

A flaw in a recent version of Microsoft's Internet Explorer web browser has been used to attack internet users, according to researchers.

The attacks were discovered by security firm FireEye, which said hundreds or thousands of machines had been infected. It added, the culprits broke into the website of US Veterans of Foreign Wars and inserted a link that redirected visitors to a malicious web page containing infectious code in Adobe's Flash software.

According to FireEye researcher Darien Kindlund, the attackers were probably looking for information from the machines of former and current military personnel and the attack revealed tell-tale techniques linked to groups from mainland China earlier involved in such attacks.

He added, planting backdoors on the machines of VFW members and site visitors for gathering military intelligence might possibly have been the goal.

According to a Microsoft spokesman, the company was aware of the "targeted" attacks and was investigating them. Reuters quoted spokesman Scott Whiteaker as saying the company would take action to help protect customers.

The latest version of the browser IE11 is not affected, and users can install a Microsoft security tool called the Enhanced Mitigation Experience Toolkit for enhanced security.

Meanwhile, FireEye said in a blog post, that the  VFW website was compromised by the hackers, who placed a hidden iframe on the site to deliver an exploit from the attacker's server.

Thanks to the successful exploit, hackers were able to create a backdoor called 'ZxShell,' which allowed them to steal files from a user's computer.

Noting that the style of attack was called a 'drive-by download' in which victims had no clue that they have been hacked, the researchers at FireEye said they believed the attack was a strategic web compromise targeting American military personnel amid a paralysing snowstorm at the US Capitol in the days leading up to the Presidents Day holiday weekend.

According to FireEye which said the attack  seemed to be very recent, and with ''Operation SnowMan'', as the FireEye dubbed the attack, cyber criminals might be trying to take advantage of a lightly staffed IT department as workers were stuck at home amid a paralysing snowstorm in Washington DC and ahead of a public holiday.

''A possible objective in the SnowMan attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website,'' it said in a blog post. ''It is probably no coincidence that Monday February 17th is a US holiday and much of the US Capitol shut down Thursday amid a severe winter storm.''