Internet Explorer 10 Zero-Day Vulnerability Exploited in Widespread Drive-by Downloads

Earlier this month we blogged about a new Internet Explorer 10 zero-day vulnerability that was targeted in a recent watering hole attack. The attackers took advantage of a previously undiscovered zero-day flaw known as the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322). At the time, the attackers delivered the exploit code for the zero-day vulnerability through compromised sites, intending to target a limited audience. Since then, we have continued to closely monitor attacks focusing on CVE-2014-0322. We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes.

Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world.  Our telemetry shows both targeted attacks and drive-by downloads in the mix.

IE 10 zero day 1.png

Figure 1. Attacks targeting CVE-2014-0322 around the world

Users visiting Japanese sites have particularly been targeted.  This is mainly because multiple sites were compromised to host the drive-by download. The following sites were compromised in these attacks.

  • A community site for mountain hikers
  • An adult dating service site
  • A website promoting language education
  • A website providing financial market information
  • An online shopping site
  • A website of a Japanese tour provider

We believe that the same attacker undertook the majority of the attacks, based on the file components used.

IE 10 zero day 2 edit.png

Figure 2. Computers targeted with CVE-2014-0322 exploit code by region

These websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks. Symantec detects this threat as Infostealer.Bankeiya.

IE 10 zero day 3.png

Figure 3. Fake login screen for Mizuho Bank asking for a pin number

 

figure4_7.png
Figure 4. Fake login screen for Japan Post bank asking for a PIN number

How to stay protected from the attacks

Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:

Symantec also encourages users to apply all relevant patches when they are available. Symantec protects customers against this attack with the following detections:

Antivirus

Intrusion Prevention Signatures

We will likely to continue to see an uptick in attacks exploiting this vulnerability, so we urge everyone to take action immediately.