Internet Explorer Zero-Day Exploited in the Wild by APT Group

[tao]

An advanced persistent threat (APT), a term sometimes used to describe nation-state-backed cyber-espionage units, is using a zero-day vulnerability in the Internet Explorer kernel code to infect victims with malware.

 

Security researchers from Chinese antivirus maker Qihoo 360 Core have reported the issue to Microsoft this week, Bleeping Computer has learned from a member of the Qihoo 360 team.

 

The zero-day has been deployed in live attacks, as part of Office documents sent to selected targets.

Latest versions of IE browser affected, possibly other apps

The Qihoo 360 Core team said the zero-day uses a so-called "double kill" vulnerability that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.

 

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," researchers wrote today in a blog post on the Weibo micro-blogging platform.

 

Researchers said the attack involves the use of a public UAC bypass, reflective DLL loading, fileless execution, and steganography.

 

The Qihoo 360 Core team has not revealed the exact exploitation chain, apart from an image shared on Weibo. [We'll still working on getting the image translated.]

 

Microsoft mum on today's disclosure

In typical Microsoft fashion, the company has not confirmed or denied Qihoo 360 Core's findings. The company has sent over the following canned statement.

 

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

 

The Qihoo 360 Core team has not answered a request for comment for more details on the APT group prior to this article's publication.

 

< Here >

[straycat19]

The primary defense against all of these kind of attacks is you don't open documents from people you don't know or from whom you normally don't get documents.  People are too trusting of emails.  If you are one of those types then you can at least use a sandbox to open your email in so it can't affect your system.  Most good businesses won't even allow attached documents into their mail system from outside.  We went to that system over 15 years ago.  Anyone who needs to send documents, such as a vendor, gets a login to an ftp server where they can upload their invoices, etc and they are scanned before being made available to employees.  Not only do we strip attachments but we also strip hyperlinks from all emails.  We have not had an incident caused by email since we enabled this security.  I have to admit that we have some of the best security and system administrators in the world running our systems, I have learned a lot from them, even though it has nothing to do with my job.

[pc71520]

17 hours ago, adi said:

We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.

Yeah, right...

[J.C]

 

Any Chinese here in the forums to translate that?