Flaw used to attack French aerospace

Comment on this story
iol scitech april 7 cyber crime pic AFP It's business as usual for US military's social media sites despite the fact that hackers broke into the Pentagon's Twitter account.

San Francisco - A flaw in recent versions of Internet Explorer was used to attack visitors to a website for US military veterans, and also appears to have been used earlier against French aerospace industry employees, researchers said.

The flaw in Microsoft's IE 10 Web browser was reported on Thursday, days after it was used inside the Web page of nonprofit US group Veterans of Foreign Wars. The VFW said that an unspecified federal law enforcement agency is investigating and that the malicious code on its site had been removed.

Security firm Websense said it found similar attack code on a page set up on Jan. 20 with a Web address nearly identical to one used by a French aerospace association.

That suggests the attacks using the flaw have been going on for at least three weeks, but might have succeeded earlier against higher-value targets and escaped discovery, said Websense Director of Security Research Alexander Watson.

FireEye, which discovered the VFW attack, said it appeared connected to previous attacks against the Japanese financial sector, security firm Bit9 and others that Symantec security researchers attributed to a large and well-organised group in China.

The latest attacks are considered to be sophisticated as they rely on a previously unknown flaw of a sort that can cost $50 000 or more when sold by shadowy brokers to government agencies or contractors. The industry calls these flaws “zero-day vulnerabilities.”

They also seem part of a multistage operation, with the attackers seeking to break into the computers of US veterans or French defence contractors in the future. Once there, they could look

Although the initial report in the new campaign mentioned only IE 10, Microsoft said it had determined that IE 9 is also vulnerable.

“We recommend customers upgrade to Internet Explorer 11 for added protection,” said Adrienne Hall, general manager of Microsoft's Trustworthy Computing Group.

Despite the use of the unknown flaw, Websense's Watson said the attacks were not that hard to spot. For one thing, a program that exploited the flaw was submitted on Jan. 20 to Virus Total, a free Google Inc service that shows whether any major antivirus provider would block the sample. In this case, none did. In addition, the programming language operated in the open, without complicated obfuscation that can deter analysis.

Watson said that was why he felt the attacks could prove to be by a new group, or even two different new groups. As an example, the exploit code might have been written elsewhere, and used with more success, then passed along to a new group with less expertise.

The French page that was imitated is GIFAS, which claims more than 300 members, including contractors making satellites, missiles and other arms, as well as helicopters, military planes and engines.

Links to the fake page might have been sent via email to industry officials.

In the VFW's case, the hackers broke into the real Web page and inserted code shown to visitors that would lead to infection if they were using the right version of IE. FireEye said hundreds or thousands of infections occurred.

VFW spokeswoman Randi K. Law said the nonprofit group was working with law enforcement and private security incident responders.

“At this point, there is no indication that any member or donor data was compromised,” she said in an email.

It was unclear whether that statement referred to the computers of website visitors or merely data stored by the VFW itself, and she did not respond to follow-up questions.

The FBI did not return a call seeking comment. - Reuters

Hungry for more scitech news? Sign up for our daily newsletter

sign up

Comment Guidelines

  1. Please read our comment guidelines.
  2. Login and register, if you haven’ t already.
  3. Write your comment in the block below and click (Post As)
  4. Has a comment offended you? Hover your mouse over the comment and wait until a small triangle appears on the right-hand side. Click triangle () and select "Flag as inappropriate". Our moderators will take action if need be.

  5. Verified email addresses: All users on Independent Media news sites are now required to have a verified email address before being allowed to comment on articles. You are only required to verify your email address once to have full access to commenting on articles. For more information please read our comment guidelines