CVE-2014-0322: Internet Explorer 10 Zero-Day used in an a Watering Hole Attack

By Nofar Gueta | February 27, 2014

An Internet Explorer Zero-Day was discovered by FireEye labs on February 11, after it was incorporated in a U.S. Veterans on Foreign Wars’ site as part of a watering hole attack. The vulnerability is targeting IE10 with Adobe Flash. The whole operation got the name “Operation SnowMan”.

The vulnerability in Microsoft’s IE was published only a few days after its monthly update (patch Tuesday) that included seven security bulletins.

The analysis defines this attack as a classic “drive-by download attack”, in which the victim is getting infected by visiting the malicious site. The vulnerability itself allows the attacker to bypass two of the most common memory protection mechanism: DEP and ASLR. That way, the attacker gets full access to the memory, and has the ability to execute any code.

According to the analysis, this attack was launched by the same attackers that were behind two other watering holes attacks: Operation DeputyDog and operation Ephemeral Hydra. Altogether, the attackers were targeting different industries, including governmental entities, defense companies, law firms, IT companies and more. For now, indication shows a link between the aforementioned attacks and attacker groups operating from China and Russia.

Regarding the operation, the company claimed: “The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term”.

Indeed, this attack is far from being the only one of a kind: only a few month ago a similar attack took place.

Due to the fact that Cyvera TRAPS obstruct the core exploitation techniques and is not based on any detection mechanisms, this attack and many others are successfully prevented without relying on prior knowledge.