Microsoft flaw used to attack French aerospace employees, veterans

SAN FRANCISCO Sat Feb 15, 2014 6:36am IST

The Microsoft logo is seen on the wall of the company's branch in Prague March 17, 2013. REUTERS/David W Cerny/Files

The Microsoft logo is seen on the wall of the company's branch in Prague March 17, 2013.

Credit: Reuters/David W Cerny/Files

Stocks

   

SAN FRANCISCO (Reuters) - A flaw in recent versions of Internet Explorer was used to attack visitors to a website for U.S. military veterans, and also appears to have been used earlier against French aerospace industry employees, researchers said Friday.

The flaw in Microsoft Corp's (MSFT.O) IE 10 Web browser was reported on Thursday, days after it was used inside the Web page of nonprofit U.S. group Veterans of Foreign Wars. The VFW said Friday that an unspecified federal law enforcement agency is investigating and that the malicious code on its site had been removed.

Security firm Websense Inc WBSN.O said it found similar attack code on a page set up on January 20 with a Web address nearly identical to one used by a French aerospace association.

That suggests the attacks using the flaw have been going on for at least three weeks, but might have succeeded earlier against higher-value targets and escaped discovery, said Websense Director of Security Research Alexander Watson.

FireEye Inc (FEYE.O), which discovered the VFW attack, said it appeared connected to previous attacks against the Japanese financial sector, security firm Bit9 and others that Symantec Corp (SYMC.O) security researchers attributed to a large and well-organized group in China.

The latest attacks are considered to be sophisticated as they rely on a previously unknown flaw of a sort that can cost $50,000 or more when sold by shadowy brokers to government agencies or contractors. The industry calls these flaws "zero-day vulnerabilities."

They also seem part of a multistage operation, with the attackers seeking to break into the computers of U.S. veterans or French defense contractors in the future. Once there, they could look for military plans or designs or passwords that would enable them to impersonate the individuals electronically. Assuming those victims' identities in emails sent to more prominent targets would make it more likely that the recipients would click on baited links or unwitting install more spying software.

Although the initial report in the new campaign mentioned only IE 10, Microsoft said it had determined that IE 9 is also vulnerable.

"We recommend customers upgrade to Internet Explorer 11 for added protection," said Adrienne Hall, general manager of Microsoft's Trustworthy Computing Group.

Despite the use of the unknown flaw, Websense's Watson said the attacks were not that hard to spot. For one thing, a program that exploited the flaw was submitted on January 20 to Virus Total, a free Google Inc (GOOG.O) service that shows whether any major antivirus provider would block the sample. In this case, none did. In addition, the programming language operated in the open, without complicated obfuscation that can deter analysis.

Watson said that was why he felt the attacks could prove to be by a new group, or even two different new groups. As an example, the exploit code might have been written elsewhere, and used with more success, then passed along to a new group with less expertise.

The French page that was imitated is GIFAS, which claims more than 300 members, including contractors making satellites, missiles and other arms, as well as helicopters, military planes and engines.

Links to the fake page might have been sent via email to industry officials.

In the VFW's case, the hackers broke into the real Web page and inserted code shown to visitors that would lead to infection if they were using the right version of IE. FireEye said hundreds or thousands of infections occurred.

VFW spokeswoman Randi K. Law said the nonprofit group was working with law enforcement and private security incident responders.

"At this point, there is no indication that any member or donor data was compromised," she said in an email.

It was unclear whether that statement referred to the computers of website visitors or merely data stored by the VFW itself, and she did not respond to follow-up questions.

The FBI did not return a call seeking comment.

(Reporting by Joseph Menn. Editing by Andre Grenon)

Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

AMAZON

TECH SHOWCASE

Rising Market Value

Rising Market Value

Facebook goes express to mega-cap status  Full Article 

Right to be Forgotten

Right to be Forgotten

Google under fire from regulators over response to EU privacy ruling.  Full Article 

Record Smartphone Sales

Record Sales

LG Electronics flags further mobile improvement after Q2 profit jump.  Full Article 

Smartwatch

Smartwatch

Swatch Group denies working with Apple on smartwatch.  Full Article 

Strong Results

Strong Results

Nokia's fortunes brighten on heavy network spending.  Full Article 

Battle of Giants

Battle of Giants

In China, Apple's focus pays off while Samsung feels squeeze.  Full Article 

Anonymity Services

Anonymity Services

Flaws could expose users of privacy-protecting software, researchers say.  Full Article 

Biggest Chipmaker

Biggest Chipmaker

China regulator determines Qualcomm has monopoly - state-run newspaper.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage