Just over a week ago FireEye published details of an APT campaign – which it called Operation DeputyDog – that makes use of the CVE-2013-3893 vulnerability. FireEye had discovered that an exploit for the vulnerability had been in use since at least August 23, 2013 targeting primarily organizations in Japan.
Now it has learnt that "the same exploit was used by different threat actors," write Ned Moran and Nart Villeneuve in a company blog post. In one sense the post is a riposte to a Websense report dated 26 September. Websense stated, "Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan."
But FireEye claims that this conclusion is based on use of the same C&C infrastructure used by the Deputy Dog actors, and maintains that it has seen "no indication that the attackers used CVE-2013-3893 prior to August 23, 2013."
FireEye's argument is that different APT groups share the same exploit between themselves, while the same actors will reuse existing C&C infrastructures for different campaigns. It notes that on September 25, "an actor we call Web2Crew utilized CVE-2013-3893 to drop PoisonIvy (not DeputyDog malware)." The attack was targeting a Taiwanese financial services company.
By September 26, a separate group that it calls Taidoor was using the same exploit on at least one compromised Taiwanese government website and also at www.atmovies[.]com[.]tw/home/temp1.html to again target the same finance company.
By 27 September, the group it calls ‘th3bug’ was also using the same exploit to drop a PoisonIvy payload on its victims. "Based on a very preliminary analysis," Moran told Infosecurity, "it appears to be the same exploit. At this point we have not found other implementations of the exploit." That is, it is the same exploit being shared, rather than different exploits of the same vulnerability
"It is not uncommon for APT groups to hand-off exploits to others, who are lower on the zero-day food chain," writes FireEye; "especially after the exploit becomes publicly available." But the question of who is doing what with which and to whom gets more complicated since the APT groups reuse old C&C infrastructures on new campaigns. For example, the infrastructure used in the Operation DeputyDog campaign has earlier been used by the same actor to host a PoisonIvy control center. Similarly, the DeputyDog malware was in use back in March 2013; but not delivered via this exploit.
However, what this shows is that once the existence of a new exploit becomes common knowledge, it is rapidly shared between different APT groups for different purposes. But that's not the end of it. FireEye's final conclusion is, "We expect that CVE-2013-3893 will continue to be handed down to additional APT campaigns and may eventually find its way into the cyber-crime underground." That is now an inevitability.
Metasploit yesterday added an exploit for CVE-2013-3893. It's not clear whether this is the very same exploit, or one built on the knowledge of the vulnerability. The exploit used was found on the internet and submitted to Metasploit. An upsurge in simple criminal activity rather than APT targeted activity is now "a reasonable assumption" Moran told Infosecurity.
It is, therefore, now more important than ever that IE users make use of Microsoft's Fix it pending a formal patch to Internet Explorer.