Earlier today, SophosLabs determined that the website of a European aeronautical parts supplier had been hacked, and a malicious attack planted on it which exploited a zero-day Microsoft security vulnerability that has not yet been patched.
We were alerted to the security problem when a Sophos customer attempted to visit the affected website, and received a warning message that a file on the site was infected by code which attempts to exploit the vulnerability in Microsoft XML Core Services which could allow Remote Code Execution (CVE-2012-1889).
SophosLabs experts determined that the hacked website had been breached, and cybercriminals had planted the following four files into a subdirectory:
Just one glance at the the filenames, and the use of the same critical zero-day vulnerability, should make clear the similarities to the incident we reported yesterday of an attack against a European medical company’s website.
In both cases, the exploit is allowing what is known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.
So, what’s going on?
Allow us to speculate a little.
We know that the CVE-2012-1889 vulnerability has been linked to Google’s recent warnings about “state-sponsored attacks”.
We know that a tried-and-trusted method of hacking into large companies and organisations is to target the supply chain. The theory goes that rather than try to hack a company which may have robust security practices and security teams, the bad actor can instead attack a smaller supplier who are less well placed to notice the security breach.
This may also provide something of a smokescreen, because smaller suppliers will not necessarily keep records and logs of sufficient detail, or for as great a length of time as the larger organisation.
We know that a hacker who manages to plant malicious code on the website of, say, a company which supplies aeronautical parts may reasonably predict that staff at a larger organisation – such as an arms manufacturer or defence ministry – might have reason to access the site.
Once the hackers have placed their malicious code on the supplier’s website, they would simply wait for notification that their code has run on either the big company’s network or a larger supplier further up the chain.
SophosLabs expert Paul Baccas described the concept to me rather nicely:
"Rather than use a worm to catch the biggest fish in the pond, you use a worm to catch a smaller fish, and then bait your hook with the smaller fish and repeat until you have caught the big fish."
Of course, we don’t know if this is what has happened in this case. It’s just speculation.
But interesting and, I believe, reasonable speculation none the less.
Because of the sensitivity of this latest case, we have decided not to name the company whose website has been hacked (we have been in touch with them, and they have since cleaned up their website), or the European country that they are based in.
What should you do?
Users running any flavor of supported Windows are vulnerable, from XP onwards up to and including Windows 7. All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable.
Unfortunately, there is not yet an official patch from Microsoft – but they have suggested a workaround that will help prevent the vulnerability from being exploited.
Microsoft’s security advisory recommends that IE and Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company rolls out a final, proper fix.
Don’t underestimate the seriousness of this vulnerability. It’s being actively exploited in the wild, and there is currently no patch available for it. As a result, Sophos raised its threat level rating to its highest level – “Critical”.
Security products such as Sophos do provide protection against the exploit (Sophos calls them Troj/20121889-B and Exp/20121889-A) – but the best solution of all would be to have a fix from Microsoft.
And for now, at least, we’re waiting to see when that’s going to appear.Follow @gcluley
Thanks to SophosLabs researcher Paul Baccas for his assistance with this article.