Hackers use ‘Double Tap’ to exploit Windows OLE bug under Operation Clandestine Fox
Researchers at FireEye have discovered that a known cyber criminal group APT3 aka UPS have started utilizing recently revealed vulnerabilities to target Windows machines. FireEye notes that the group has initiated attacks on 19th November 2014 targeting multiple high profile organizations. APT3 aka UPS have successfully used multiple Windows exploits, targeting both CVE-2014-6332 and CVE-2014-4113. The CVE-2014-6332 vulnerability was was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution flaw while CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14. This group is the same one that was behind “Operation Clandestine Fox” which had inflicted considerable damage back in April 2014.
Flaws patched, yet targeted
One of the bugs, CVE-2014-6332, was fixed and the patch was released during Patch Tuesday by Microsoft and noted for being remotely exploitable for 18 years prior to the update. The Windows OLE Automation Array Remote Code Execution vulnerability presented a serious security issue to users, researchers warned, as it impacts every version of Microsoft Windows since Windows 95.
At the time, IBM X-Force Research manager Robert Freeman said that remote exploitation became possible with the release of Internet Explorer 3.0 in 1996, since Visual Basic Script (VBScript) was introduced. In an interview with SC Magazine, Freeman explained that exploitation of the bug would be a “tricky” feat, but also “very formulaic” to recreate once saboteurs came up with attack scenarios, which the APT3 seems to have done. “The same VBScript code will cause the same outcome all of the time,” Freeman said in the interview. Now it seems, APT3 is successfully leveraging both the vulnerabilities to target vulnerable systems in corporate networks.
According to FireEye researchers, the Windows OLE bug, and a separate Windows privilege escalation vulnerability, CVE-2014-4113, have been targeted by the threat group called APT3. Both these flaws have been patched in Microsoft’s weekly update but that hasn’t stopped this group from using them as many users including some corporates dont take updated seriously enough.
Clandestine Fox campaign
This was the previous threat campaign which brought APT3 to the notice of security experts. In this campaign, the group used a zero-day(previously unknown) bug in Internet Explorer to target users. After a period of time, they got brazen enough to use social engineering to target victims. In one such brazen attack, they targeted an energy company. They contacted an employee of the company and sent him an e-mail that contained malicious files. These files eventually installed a backdoor on the machine called “Cookie Cutter,” opening up the doors of that corporate network to the APT3 cyber gang.
In the most recent wave of phishing lures beginning last Wednesday, dubbed “Operation Double Tap,” attackers sent malicious phishing emails claiming to offer a free month’s membership to a Playboy website, FireEye warned. On Oct. 28, APT3 was again observed sending spear phishing emails to unsuspecting victims, which ultimately installed same backdoor ‘Cookie Cutter’ used in Operation Clandestine Fox, on vulnerable users’ machines.
FireEye published indicators of compromise (IOCs) in its post.
“Since Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits,” the blog post said. “The combination of this sustained operational tempo and lack of zero-day exploits may indicate that this group has changed strategy and has decided to attack more frequently and does not have steady access to zero-day exploit code,” FireEye said
John Kuhn, senior threat researcher at IBM X-Force, in an interview with SCmagazine revealed that his company had also detected seperate attacks targeting the OLE bug in Windows. Someone released a proof-of-concept code from a Twitter feed I’ve been tracking for awhile,” he said. Almost immediately afterwards, other hackers had taken up the attack code, tweaking it only slightly, Kuhn added. “It goes all the way back to Windows 95, and that’s a wide net to cast,” he said of the bug. While spear phishing appears to be the “key,” for success of ‘Double Tap,’ Kuhn revealed that, in one instance, attackers posted a malicious link to a very popular Russia forum, to try to exploit Windows users.
Trey Ford, global security strategist at Rapid7, in another interview spoke more on the same issue. “When vulnerabilities are being exploited in the wild, honoring the secrecy of an unpatched [bug] while waiting for a fix loses value,” he wrote. “The false economy of secret information protects the attackers, not the defenders. On the positive, a patch already exists – so the priority of applying a patch (released Nov 11, so two weeks ago tomorrow) will encourage defenders to escalate and accelerate patch deployment,” he continued.
“Moments like these are when we take a long, hard look at patch testing cycles and ask – can we do this faster, and what is the risk associated with delay?” Ford said.