The watering hole attack exploiting an Internet Explorer Zero Day vulnerability did not just hit Council on Foreign Relations (CFR) site. It also hit a supplier to the energy industry.
A Metasploit contributor, Eric Romang, said Capstone Turbine Corp., which builds power generation equipment for utilities, suffered infection with malware exploiting CVE 2012-4969 since September and the latest IE exploit since Dec. 18.
Meanwhile, a Metasploit module added into the exploit platform, which could rapidly increase the public availability of exploits.
Microsoft said it is still working on a security update for the browser vulnerability; as a temporary solution, it released a fix Monday.
Watering hole attacks use drive-bys to target visitors of particular websites; attackers infect the sites with malware that gives the attacker access to the victim’s computer to install more malware or monitor their activities. Watering hole attacks have seen use in previous advanced persistent threat (APT)-style attacks against Google, large manufacturers and technology companies.
Capstone figures to be a valuable target, Romang said, given its position in the energy community as a producer of microturbine energy products. He found the same malicious html file on the Capstone site as was on the CFR site.
IE 6, 7 and 8 contain the Zero Day, a use-after free vulnerability, researchers said. IE 9 and 10 do not suffer from the problem.
CFR is a foreign-policy resource; notable public figures are among its directors and membership. Those government and public officials are the likely targets of the espionage campaign.
Microsoft recommends users deploy the Fix It or update their browsers to the latest version. Microsoft’s Jonathan Ness and Cristian Craioveneau wrote in a blogpost the MSHTML appcompat shim modifies the vulnerable function to return NULL.
The vulnerability, Microsoft said, occurs in the way IE access an object in memory that ended up deleted or not properly allocated. Memory could end up corrupted and allow an attacker to execute code with the user’s privileges.