Hackers are using a zero day vulnerability in Microsoft's Internet Explorer (IE) web browser and targeting US military personnels in an active attack campaign, dubbed as 'Operation Snowman'.
FireEye Researchers have discovered that a U.S. veterans website was compromised to serve a zero day exploit, known as CVE-2014-0322, which typically involves the compromise of a specific website in order to target a group of visitors known to frequent it.
FireEye identified drive-by-download attack which has altered HTML code of the website and introduced JavaScript which creates malicious iFrame.
"A zero-day exploit (CVE-2014-0322) being served up from the U.S. Veterans of Foreign Wars' website (VFW[.]org). We believe the attack is a strategic Web compromise targeting American military personnel, amid a paralyzing snowstorm at the U.S."
According to FireEye, the zero day CVE-2014-0322 'vulnerability is a previously unknown use-after-free bug in Microsoft Internet Explorer 10. The vulnerability allows the attacker to modify one byte of memory at an arbitrary address.'
Dropped files are digitally signed making it look like a legitimate application and the vulnerability ultimately allowed them to bypass address space layout randomization (ASLR) by accessing the memory from Flash ActionScript.
But the exploitation can be migrated if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET).
"Based on the overlaps and trade craft similarities, it is believed that the actors behind the campaigns are associated with two previously identified campaigns, Operation Deputy Dog and Operation Ephermeral Hydra, which had previously targeted a number of different industries," FireEye said.
A Microsoft spokesperson confirmed - "Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected".
