It’s called Operation Clandestine Fox and it has the potential to be very dangerous. The problem is that this vulnerability comes shortly after the Heartbleed episode which may make people shrug it off as just another bug. But this is what Microsoft has to say about it:
“an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
In other words, the attacker can do whatever he or she wanted to do remotely. Your computers are their computers. But what exactly do these hackers really want to do?
Until it was discovered, it appeared the main goal of this exploit was to gather intelligence. “It’s a campaign of targeted attacks seemingly against US-based firms, currently tied to defence and financial sectors,” FireEye spokesman Vitor De Souza said via email. “It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.” So, for the moment, it appears that individuals are in the clear, or, at least they were. When this was a zero-day attack, it was an exploit that just sat in the background gathering intelligence. Now that it’s “in the wild”, other hackers with other motives may be trying to exploit this vulnerability.
Who’s vulnerable? Well, anyone using Internet Explorer versions 6-11, although the favored targets appear to be versions 9 through 11. This is somewhat unusual in that these later versions activate ASLR and DEP security features by default. However, as Microsoft points out, “because ASLR is a generic mitigation aimed at stopping exploitation techniques that apply to many vulnerabilities, attackers are very interested in attempting to find new bypass techniques for it.”
How can you avoid being a victim? The best way for now is to either use another browser or disable the Flash Player. To do this:
1. Click on Tools
2. Click on Manage Add-ons
3. Click Shockwave Flash Player
4. In the lower corner of the screen, you will see the word, “disable”. Click it.
5. Click, OK
If you still happen to be using Windows XP, you’re even more out of luck because Microsoft will not issue a special fix for you.
Who’s behind this exploit? As I’ve stated in other posts, zero-day exploits don’t come cheap. Usually, only governments can afford them. FireEye, the firm that found the exploit, will not give any details about it or who they think may be behind it. However, a similar exploit was identified by the firm in February. At that time, they gave this information about the attacker or “threat actor”.
“This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.
This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.”
If that attack really was similar to Operation Clandestine Fox, then it may have roots in China, which probably won’t surprise anyone.