Three new threats are exploiting the Internet Explorer vulnerability reported by Microsoft two weeks ago.
A week ago, FireEye reported it had uncovered a campaign called "Operation DeputyDog" - a large-scale intelligence-gathering operation that was using remote access malware to exfiltrate information from entities across government, hi-tech and manufacturing in Japan.
Now, FireEye reports three new advanced persistent threat (APT) campaigns are also taking advantage of the vulnerability.
In the FireEye blog, researchers Ned Moran and Nart Villeneuve say it is common for APT threat actors to share exploits with others who are "lower on the zero-day food chain", particularly once the exploit is freely available.
Besides using the same exploit, the new threats - Web2Crew, Taidoor, and th3bug - are not related to DeputyDog, the researchers say.
They added it is possible to see these groups reuse command and control (C&C) infrastructure, even though the exploit was distributed via different channels.
"For example, although the first reported use of CVE-2013-3893 in Operation DeputyDog was 23 August 2013, the C&C infrastructure had been used in earlier campaigns."
Maximising the return
Deon La Grange, country manager of FireEye SA, says cyber criminals make significant investments in time to do reconnaissance, discover or acquire exploits or malware, as well as the infrastructure to launch and control personal targeted attacks.
"Once these attacks have been executed, they endeavour to maximise their return on investment and effort by repurposing their infrastructure, exploit, or attack code to achieve further gains," he adds.
According to him, cyber criminals know that, in certain circumstances, the exploit may be discovered, yet the patch may not be readily available, or some organisations may not necessarily have the systems in place to defend themselves, "which results in what we term the 'half-day attack' versus 'the zero-day attack', which is completely unknown until seen in the wild for the first time".
FireEye says APT campaigns have specific activity that can be clustered and tracked by unique indicators, and some campaigns employ the same malware - sometimes widely available malware such as PoisonIvy - and the same exploits. "It is not uncommon for zero-day exploits to be handed down to additional APT campaigns after they have already been used."
Share