Originally thought to be exploiting CVE-2012-4792, the attackers are now known to be targeting a previously unknown vulnerability in certain versions of IE. According to Microsoft, the vulnerability affects Internet Explorer 8, and IE 6, 7, 9 and 10 are not impacted.
“This is a remote code execution vulnerability,” Microsoft explained in an advisory. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” according to the advisory.
According to AlienVault, the list of affected sites spans from the Department of Labor site to sites belonging to several non-profit groups and institutes as well as a European company involved in the aerospace, defense and security industries.
Researchers from CrowdStrike said the attack campaign may have begun in mid-March. Their analysis of logs from the malicious infrastructure used in this campaign showed the IP addresses of the visitors to the compromised sites belonged to 37 different countries.
“The legitimate sites compromised to deliver malicious code in this campaign give an indication into targets of interest,” blogged Matt Dahl, senior threat researcher at CrowdStrike. “The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium. Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector.”
“Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector,” he blogged.
Microsoft urged anyone worried about the attack to upgrade to the most current versions of the browser, which are not vulnerable to the attack.
“We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders,” blogged Dustin Childs, group manager for response communications for trustworthy computing at Microsoft.