Chinese espionage group allegedly used Windows and Flash flaws to target US military networks
Microsoft has patched a zero-day vulnerability affecting versions of Internet Explorer 9 and above on Windows that was allegedly used by a Chinese espionage group’s attempt to hack US military and financial services.
The flaw was used in conjunction with a separate zero-day flaw in Adobe Flash, a plot which was uncovered by security firms Invincea and iSight Partners when a computer on the US Defense Industrial Base network visited infected news website Forbes late last year.
Adobe patched the Flash vulnerability on 9 December, but all parties agreed to remain quiet until Microsoft issued an update for Windows earlier this week.
It is thought that Forbes’ Flash-based ‘Thought of the Day’ widget, which appears when any user visits the website, was affected at least between 28 November and 1 December. Once a machine was infected, malware then targeted other vulnerable systems on the network.
Invincea’s threat protection software detected the infected machines on the military network, despite the fact it was caused by a zero-day flaw and had already “several” layers of security. However the security firm says no data was stolen as a result of the infection.
The group known as ‘Codoso’ has been blamed for the attack, with iSight saying many elements of it were consistent with previous attacks by Chinese hacking attempts. It noted that the malware contained elements written in simplified Chinese and bore resemblance to variants of ‘Derusbi’ – a type of malware unique to Chinese cyber espionage operations.
In addition, the command and control domain used a domain leveraged in several previous Chinese cyber espionage attempts and at least three additional sites hosted the same exploit prior to its public disclosure, including issues associated with the Uighur minority and Hong Kong democracy.
Both security firms have said that although it is possible that huge amounts of users could have been infected due to the high popularity of the Forbes website, this was a highly targeted attack.
“Given the highly trafficked Forbes.com website, the exploit could have been used to infect massive numbers of visitors,” said Invincea. “In fact it was not used for that purpose. Across Invincea’s large footprint of over 20,000 firms, Invincea and iSIGHT can confirm only certain US Defense and financial services firms were targeted with this exploit from Forbes.com during this time period.”
“The collaboration between Invincea and iSIGHT and responsible disclosure with Microsoft demonstrates the power of intelligence integration with advanced threat protection tools in protecting organisations everywhere.”
Microsoft has been highly critical of Google for automatically exposing two flaws in Windows 8.1 because they hadn’t been patched with 90 days of discovery. Microsoft says it asked Google to delay disclosure as a patch was in development, but this obviously did not occur.
How well do you know the history of Windows? Take our quiz!