Attack On US Veterans Website May Have Targeted Military Personnel
February 14, 2014

Attack On US Veterans Website May Have Targeted Military Personnel

Peter Suciu for - Your Universe Online

On Tuesday security researchers identified a zero-day exploit (CVE-2014-0322) that had been served up from the US Veterans of Foreign Wars (VFW) website. This attack reportedly targeted American military personnel during this week’s paralyzing snowstorm at the United States Capitol.

Researchers at FireEye believe that those behind this attack, which may have also been coordinated to take place in advance of the Presidents' Day holiday weekend, are likely associated with two previously identified campaigns. These include the Operation DeputyDog and Operation Ephemeral Hydra – the former of which targeted organizations in Japan last fall.

FireEye has dubbed this latest attack “Operation SnowMan.” The security researchers said that this attack exploited a zero-day flaw in the Internet Explorer 10 browser.

“After compromising the VFW website, the attackers added an iframe into the beginning of the website’s HTML code that loads the attacker’s page in the background,” wrote Darien Kindlund, Dan Caselden, Xiaobo Chen, Ned Moran and Mike Scott on the official FireEye blog. “The attacker’s HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit. The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript. Specifically, visitors to the VFW website were silently redirected through an iframe to the exploit at www.[REDACTED].com/Data/img/img.html.”

This exploit targets IE 10 with Adobe Flash, but was also found to abort the exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET). Installing EMET or updating to IE 11 will prevent this exploit from functioning.

This exploit, which is a previously unknown user-after-free bug in IE 10, allows the attacker to modify one byte of memory at an arbitrary address. From this the attacker can gain access to memory from Flash ActionScript and pivot to a return-oriented programming (ROP) exploit technique to bypass data execution prevention (DEP).

If successful, the attack can create a backdoor dubbed “ZxShell,” which can be used to steal files from the compromised computer.

FireEye believes the attack was placed on the VFW website where it would be found by US military personnel. Currently the VFW has more than 1.4 million members, including 75,000 still on active duty, reported.

“A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” the researchers added. “In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.”

An analysis of the backdoor exploit showed that it contacts a website hosted on an IP address that had been linked to the previous Operation DeputyDog and Operation Ephemeral Hydra. Both of those are suspected to have originated in China.

Last year security researchers linked a rash of cyber-attacks against companies in the United States and other English-speaking countries to a branch of the People’s Liberation Army (PLA) called Unit 61398. This group is believed to be based in a single 12-story building on the edge of Shanghai.