Hackers use ‘Double Tap’  to exploit Windows OLE bug under Operation Clandestine FoxFlaws patched, yet targetedClandestine Fox campaignExpert Speak

Flaws patched, yet targeted

One of the bugs, CVE-2014-6332, was fixed and the patch was released during Patch Tuesday by Microsoft and noted for being remotely exploitable for 18 years prior to the update. The Windows OLE Automation Array Remote Code Execution vulnerability presented a serious security issue to users, researchers warned, as it impacts every version of Microsoft Windows since Windows 95. At the time, IBM X-Force Research manager Robert Freeman said that remote exploitation became possible with the release of Internet Explorer 3.0 in 1996, since Visual Basic Script (VBScript) was introduced. In an interview with SC Magazine, Freeman explained that exploitation of the bug would be a “tricky” feat, but also “very formulaic” to recreate once saboteurs came up with attack scenarios, which the APT3 seems to have done. “The same VBScript code will cause the same outcome all of the time,” Freeman said in the interview. Now it seems, APT3 is successfully leveraging both the vulnerabilities to target vulnerable systems in corporate networks. According to FireEye researchers, the Windows OLE bug, and a separate Windows privilege escalation vulnerability, CVE-2014-4113, have been targeted by the threat group called APT3. Both these flaws have been patched in Microsoft’s weekly update but that hasn’t stopped this group from using them as many users including some corporates dont take updated seriously enough.

Clandestine Fox campaign

This was the previous threat campaign which brought APT3 to the notice of security experts. In this campaign, the group used a zero-day(previously unknown) bug in Internet Explorer to target users. After a period of time, they got brazen enough to use social engineering to target victims. In one such brazen attack, they targeted an energy company. They contacted an employee of the company and sent him an e-mail that contained malicious files. These files eventually installed a backdoor on the machine called “Cookie Cutter,”  opening up the doors of that corporate network to the APT3 cyber gang.

Expert Speak

In the most recent wave of phishing lures beginning last Wednesday, dubbed “Operation Double Tap,” attackers sent malicious phishing emails claiming to offer a free month’s membership to a Playboy website, FireEye warned. On Oct. 28, APT3 was again observed sending spear phishing emails to unsuspecting victims, which ultimately installed same backdoor ‘Cookie Cutter’ used in Operation Clandestine Fox, on vulnerable users’ machines. FireEye published indicators of compromise (IOCs) in its post. John Kuhn, senior threat researcher at IBM X-Force, in an interview with SCmagazine revealed that his company had also detected seperate attacks targeting the OLE bug in Windows. Someone released a proof-of-concept code from a Twitter feed I’ve been tracking for awhile,” he said. Almost immediately afterwards, other hackers had taken up the attack code, tweaking it only slightly, Kuhn added. “It goes all the way back to Windows 95, and that’s a wide net to cast,” he said of the bug. While spear phishing appears to be the “key,” for success of ‘Double Tap,’ Kuhn revealed that, in one instance, attackers posted a malicious link to a very popular Russia forum, to try to exploit Windows users. Trey Ford, global security strategist at Rapid7, in another interview spoke more on the same issue. “When vulnerabilities are being exploited in the wild, honoring the secrecy of an unpatched [bug] while waiting for a fix loses value,” he wrote. “The false economy of secret information protects the attackers, not the defenders. On the positive, a patch already exists – so the priority of applying a patch (released Nov 11, so two weeks ago tomorrow) will encourage defenders to escalate and accelerate patch deployment,” he continued. “Moments like these are when we take a long, hard look at patch testing cycles and ask – can we do this faster, and what is the risk associated with delay?” Ford said.