Believe it or not, hackers have found some new vulnerabilities in Internet Explorer, and are using them to exploit former military personnel.
According to security firm FireEye, two hacking groups used a flaw in the most recent version of the web browser, IE 10, to install malware onto the computers of users who visited the U.S. Veterans of Foreign Wars’ website using Explorer. FireEye writes that the hack, which they called "Operation Snowman," (because Washington is especially vulnerable to hacking during this last round of incapacitating snow and ahead of the President's Day holiday) was likely an attempt to get at military information.
FireEye explains the very technical specifics of the breach:
Basically, people who reached the site through IE were susceptible to malware that the hackers had secretly embedded into the VFW site. This didn't happen to people using other browsers, like Chrome or Firefox or even IE 11, per FireEye:
The exploit targets IE 10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE 11 prevents this exploit from functioning.
The security firm identified two campaigns as being linked to the attack, Operation DeputyDog and Operation Ephemeral Hydra. The elaborately named hacking efforts have relied on IE's vulnerabilities before -- DeputyDog used flaws in the browser to attack Japanese sites in August, and Ephemeral Hydra partnered with DeputyDog to exploit IE insecurities in a more mysterious breach, per security blogger Ken Westin:
It is like coming home to your door being wide open, you don’t know if the attacker is inside, or the intentions of who is in there, or if they have left what and if so what they took and why. Given that the code was found on a website targeting national and international security policy, we can assume the targets are political. That we have not see anything to make the exploit persistent I would assume that the attackers are cherry picking their targets when devices connect back to the command and control server.
Reuters reports that the hackers behind Operation Snowman infected hundreds or thousands of computers. FireEye research Daniel Kindlund told Reuters it's possible that the hackers hope to access files stored on former military personnel's machines with the breach.
ComputerWorld noted, however, that the breach actually puts one-third of IE users at risk — everyone who is using IE 9 or IE 10. According to the site, IE 9 and 10 users may have been vulnerable to attack for quite some time:
While FireEye said it identified the "zero-day" vulnerability -- a term to indicate that the flaw is currently unpatched -- on Feb. 11, yesterday San Diego security company Websense said it had found evidence that the exploit may have been used as early as Jan. 20, or more than three weeks ago.
Microsoft spokesman Scott Whiteaker said that the company is aware of the attacks and is investigating, adding "We will take action to help protect customers." Or, maybe users should just switch browsers.
This article is from the archive of our partner The Wire.