New Internet Explorer zeroday was used in the DoL Watering Hole campaign

May 5, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

In our first analysis we reported that the exploited vulnerability was CVE-2012-4792 . Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new zeroday vulnerability affecting Internet Explorer 8 (CVE-2013-1347). It was confirmed by Microsoft that released a Security Advisory on Friday and also FireEye and Invincea.

In addition we have found that the U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time. The list of affected sites includes several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Finally we detected several redirections to another malicious server located at www[.]sellagreement[.]com (198.96.92.107) that was serving parts of the malicious payloads found on dol[.]ns01[.]us.

We recommend you to search your logs for connections to those domains and IP addresses.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT