Anatomy of the Council on Foreign Relations Watering Hole Attack

Anthony Freed
By | January 03, 2013

Posted in: Network Security Trends

Microsoft was quick to respond to reports of a zero-day vulnerability in Internet Explorer which was actively being exploited in a watering hole attack targeting users of a website belonging to the Council on Foreign Relations (CFR), a U.S. based think-tank. Microsoft has issued temporary workarounds for the vulnerability, and is expected to release further mitigation actions in the near future. But what exactly is a watering hole attack? Researchers at security provider Symantec have been studying the technique since 2009, as detailed in analysis of the methodology released last year, and offers further incite into the workings behind the CFR attack.

The recently identified flaw in Internet Explorer versions 6, 7, and 8 (IE versions 9 and 10 are unaffected) leaves systems vulnerable to remote code execution that takes advantage of the way in which IE accesses items in a system's memory that were either deleted or which had not been properly allocated, the company stated.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website," a Microsoft advisory on the exploit explained.

The vulnerability was used in a watering hole attack which sought to infect potentially high-value targets by compromising the CFR website with JavaScript or HTML code injections designed to redirect the browsers of unsuspecting users in an attempt to expose them to malware. Choosing the right website to setup for the attack is similar to how a predator might wait for its preferred prey to visit a particular resource, hence the "watering hole" analogy that gave the attack its name.

In the CFR event, attackers injected code into the website which would first identify the version of IE being used by the potential target, then looked to determine if Adobe Flash was installed on the system, as well as checking to see if the browser was using a particular language that was of interest to the attackers - specifically English, Chinese, Russian, Japanese, or Korean, according to Symantec's analysis.

Targets who were not using the right (or wrong in this case) browser version, had Flash disabled, or did not pass the other specifics of the checklist were merely redirected to a blank webpage. Those who's systems fit the profile for the attack were not so lucky, as the malicious code then sought to recognize if Java version 6 was running, and if so, a Flash object was loaded using a Class ID (CLSID) which contained a corrupt Shockwave Flash File identified as "today.swf."

An iFrame was generated for a page which delivered the exploit code for the Windows 7 and XP operating systems, and the exploit code's ActionScript then proceeded to generate shellcodes for the particular operating system and specific language it detected.

"While the browser is being exploited through the news.html iFrame, a GET request was made from the original compromised page to download a xsainfo.jpg file that was stored in Internet Explorer's Temporary Internet Files. This is an encoded dynamic-link library (DLL) binary which was the payload of the attack," Symantec explained.

The method of infection is atypical, according to the researchers, as it employed what is referred to as a drive-by-cache attack in which the malicious code is delivered prior to utilizing the shellcode to deliver the final payload, a backdoor malware executable called "DirectDB.exe." Symantec offers more detail on the attack logistics in their assessment.

The number of systems presently infected with the malicious code is extremely small, leading analysts to conclude the IE zero-day vulnerability was being exploited in a targeted attack aimed at some high-value users of the CFR website, some of whom include current and former ranking U.S. government officials.

"The use of zero-day exploits in targeted attacks is certainly not a new phenomenon. Many high profile incidents like Hydraq (also known as Aurora), Stuxnet, and Duqu used one or more zero-day exploits to accomplish their goal... In this particular case, use of a zero-day exploit suggests a high level of sophistication requiring access to resources and skills which would normally be outside most hackers' capabilities," the analysts concluded.

Microsoft issued temporary workarounds and suggests users should update IE’s Trusted Sites and then change the security zone settings to high, or disable Active Scripting.

You May Also Be Interested In: