European aeronautical supplier's website infected with "state-sponsored" zero-day exploit

Filed Under: Malware, Vulnerability

Jet fighter. Image from ShutterstockEarlier today, SophosLabs determined that the website of a European aeronautical parts supplier had been hacked, and a malicious attack planted on it which exploited a zero-day Microsoft security vulnerability that has not yet been patched.

We were alerted to the security problem when a Sophos customer attempted to visit the affected website, and received a warning message that a file on the site was infected by code which attempts to exploit the vulnerability in Microsoft XML Core Services which could allow Remote Code Execution (CVE-2012-1889).

SophosLabs experts determined that the hacked website had been breached, and cybercriminals had planted the following four files into a subdirectory:


Just one glance at the the filenames, and the use of the same critical zero-day vulnerability, should make clear the similarities to the incident we reported yesterday of an attack against a European medical company's website.

In both cases, the exploit is allowing what is known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.

So, what's going on?

Allow us to speculate a little.

Alert. Image courtesy of ShutterstockWe know that the CVE-2012-1889 vulnerability has been linked to Google's recent warnings about "state-sponsored attacks".

We know that a tried-and-trusted method of hacking into large companies and organisations is to target the supply chain. The theory goes that rather than try to hack a company which may have robust security practices and security teams, the bad actor can instead attack a smaller supplier who are less well placed to notice the security breach.

This may also provide something of a smokescreen, because smaller suppliers will not necessarily keep records and logs of sufficient detail, or for as great a length of time as the larger organisation.

We know that a hacker who manages to plant malicious code on the website of, say, a company which supplies aeronautical parts may reasonably predict that staff at a larger organisation - such as an arms manufacturer or defence ministry - might have reason to access the site.

Once the hackers have placed their malicious code on the supplier's website, they would simply wait for notification that their code has run on either the big company's network or a larger supplier further up the chain.

SophosLabs expert Paul Baccas described the concept to me rather nicely:

"Rather than use a worm to catch the biggest fish in the pond, you use a worm to catch a smaller fish, and then bait your hook with the smaller fish and repeat until you have caught the big fish."

Of course, we don't know if this is what has happened in this case. It's just speculation.

But interesting and, I believe, reasonable speculation none the less.

Because of the sensitivity of this latest case, we have decided not to name the company whose website has been hacked (we have been in touch with them, and they have since cleaned up their website), or the European country that they are based in.

What should you do?

Users running any flavor of supported Windows are vulnerable, from XP onwards up to and including Windows 7. All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable.

Unfortunately, there is not yet an official patch from Microsoft - but they have suggested a workaround that will help prevent the vulnerability from being exploited.

Microsoft's security advisory recommends that IE and Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company rolls out a final, proper fix.

Threat level criticalDon't underestimate the seriousness of this vulnerability. It's being actively exploited in the wild, and there is currently no patch available for it. As a result, Sophos raised its threat level rating to its highest level - "Critical".

Security products such as Sophos do provide protection against the exploit (Sophos calls them Troj/20121889-B and Exp/20121889-A) - but the best solution of all would be to have a fix from Microsoft.

And for now, at least, we're waiting to see when that's going to appear.

Thanks to SophosLabs researcher Paul Baccas for his assistance with this article.

Alert and Fighter jet images courtesy of Shutterstock.

, , , , , , ,

You might like

4 Responses to European aeronautical supplier's website infected with "state-sponsored" zero-day exploit

  1. Chris · 1205 days ago

    Why is it that Sophos has raised their threat level to critical while other companies such as Symantec and McAfee remain at normal? No doubt the threat is viable and in the wild, but is there a lack of protection from Sophos that the other vendors have in place for this particular exploit as to not seem to be as concerned about it?
    Thank you

  2. "We know that the CVE-2012-1889 vulnerability has been linked to Google's recent warnings about "state-sponsored attacks"."

    I'm not sure at this stage that this would be sufficient evidence that it was a "state-sponsored" attack. I think this would depend on when the original attack took place - before or after public distribution of this vulnerability. By now it's likely any number of people could be exploiting this vulnerability. If a forensics examination determines this attack originated some time back before the vulnerability was disclosed, it would add some weight to the argument. But we still don't know who else may have independently discovered the flaw.

    The selection of targets itself also doesn't clearly identify an attack as "state-sponsored" either. ANY organization by definition has numerous enemies of different types and many of them might have the resources or motivations to employ a relatively sophisticated attack.

    Bottom line: I'm wary of the term "state-sponsored" without at least some prima facie evidence that links more or less directly back to an actual state entity. For instance, just pointing to "China" as Richard Bejtlich does means nothing - there are any number of corrupt Chinese corporations and individuals besides the government. And indeed the entire Far East, Middle East, South America, Africa and even Europe are riddled with corrupt corporations and individuals. Industrial espionage and sabotage is a way of life in most of these countries.

    So I think it behooves the industry to tone down the "state-sponsored" stuff every time someone gets hit with a relatively sophisticated attack. All that does is ratchet up the justification for "cyberwar" and possibly ill-considered legislation and will probably end up making things worse for everyone (if that's even possible.)

  3. Stuart · 1204 days ago

    Why is it when i try and find out more information about the threat via the microsoft page which includes the "Fix It Now" option, i get redirected to "404 - File or directory not found." page on the microsoft site! lol bloody microsoft cant even host a web page long enough for people to read it, im not surprised they are taking their time on actually providing an offical "Fix"

    Will be applying the fix to my systems tonight anyway Thnks for the warning sophos.

    Anyone else think maybe the Antivirus companies should club together to create the new OS? it would appear MS seem to leave gaping wholes in their systems (Have microsoft ever released something which has been 100% tested before?)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley