Hackers pieced together zero-day vulnerabilities in Flash and Internet Explorer 9+ to attack financial services and defense contractor employees visiting Forbes.com, according to security firm researchers, Invincea and iSIGHT Partners.
In November 2014, the site’s Thought of the Day (ToTD) page, which is displayed briefly upon visiting the site, was compromised. On first visit to the Forbes site, the users were directed to an IP address that hosted the Shockwave Flash exploit.
When the ToTD widget opened, it delivered the Flash exploit (hrn.dll) on the local system. The DLL then got reflectively loaded into the memory and gained administrative privileges and provided all information about current patch levels, network mapping, IP configuration, VPN connections. The botnet then beaconed information to the malicious control server, which in this particular case was found to be hp://iad12s04-in-f22.1h100.net/irwravxrc/getuau.html.
Further analysis by iSIGHT Partners revealed that the exploit used an additional 0-day bypass mitigation vulnerability in the IE 9+ (CVE-2015-0071) to deliver second attack. Flash and many other applications have an in-built mechanism Address Space Layout Randomization (ASLR) that makes drive-by attacks harder. The Flash exploit was able to exploit the mitigation defense within 7 seconds.
The Flash 0-day vulnerability, registered as CVE-2014-9163 in the National Vulnerability Database, was patched on 9 December 2014, whereas Microsoft fixed the patch on 10 February.
The incident highlights how minor software flaws that by themselves incapable of any remote code execution, however, pose a significant threat to end users.
“In the world of cyber threats, the chained 0-day exploit is a unicorn—the best known attack with chained 0-days was the Stuxnet attack allegedly perpetrated by US and Israeli intelligence agencies against Iran’s nuclear enrichment plant at Natanz as part of an operation known as Olympic Games,” explained the blog by Invincea.