{"id":3580,"date":"2014-03-31T13:09:18","date_gmt":"2014-03-31T13:09:18","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=3580"},"modified":"2020-05-06T10:31:35","modified_gmt":"2020-05-06T17:31:35","slug":"operation-vfw-snowman-waterhole-attack-from-u-s-veterans-of-foreign-wars-website","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/operation-vfw-snowman-waterhole-attack-from-u-s-veterans-of-foreign-wars-website\/","title":{"rendered":"Operation VFW Snowman Waterhole Attack from U.S. Veterans of Foreign Wars Website"},"content":{"rendered":"

On February 11, a zero-day exploit was discovered targeting systems running fully patched versions of Internet Explorer 9 or 10. \u00a0Malware using this attack was being hosted from the compromised site of the U.S. Veterans of Foreign Wars (VFW) Website, targeting visitors to the site. The attacks seem to be directed at specific targets in the Advanced Persistent Threat, or APT, style commonly attributed to rogue government organizations or other groups with advanced resources.<\/p>\n

Targets<\/h3>\n

Military personnel and others visiting the VFW website using Windows and Internet Explorer 9 or 10 got infected by the malware. The name \u2018Snowman\u2019 comes from the snow storm that struck the Northeast and Washington DC\/Maryland area closing government offices and keeping Dept. of Defense employees home. The attack was launched to coincide with this storm as many veterans in the Washington DC area work for the Dept. of Defense<\/p>\n

Technical details<\/h3>\n

Watering hole attacks target a business, organization, or group of people by injecting the attack code into websites that the target group frequently visits and trusts.<\/p>\n

Operation Snowman is a watering hole attack campaign that started by compromising the VFW website and altering its HTML code.<\/p>\n

The attackers injected a JavaScript code into the website that created a malicious iFrame. The malicious iFrame then targeted a zero-day bug in Internet Explorer 9 or 10. The bug allows the attackers to bypass two defensive technologies: address space layout randomization (ASLR) and data execution prevention (DEP). The attack, identified by Common Vulnerability Enumeration identifier CVE-2014-0322, installed a backdoor that let the attackers remove data from an infected computer. The malicious JavaScript routine then loaded a Flash object that downloaded a ZxShell backdoor onto the targeted Windows system.<\/p>\n

The ZxShell backdoor is publicly available and has been widely used in several attacks linked to cyber espionage operations. In this instance, the ZxShell backdoor attempted to contact the Command and Control (CnC) server located at domain newss.effers.com, which resolved to IP address 118.99.60.142 at the time of discovery.<\/p>\n

The mentioned domains and IP addresses have been used in other attacks, specifically Operation DeputyDog and Operation Ephemeral Hydra, suggesting that those attacks were organized by the same group, which has previously targeted U.S. government entities, Japanese firms, law firms and IT companies, among others.<\/p>\n

How existing security defenses are evaded<\/h3>\n

Software often has security vulnerabilities, but users have become savvier about avoiding unknown domains. The watering hole method is meant to bypass this behavioral defense by using trusted websites.<\/p>\n

Existing systems do not provide any means for the user to identify a compromised website that used to be trusted. In this case, a previously undiscovered vulnerability, usually referred to as zero-day, was used as the mean to infect the victim systems.<\/p>\n

\u00a0Infoblox can help protect against this attack<\/h3>\n

GENERAL BEST PRACTICES RECOMMENDATIONS<\/h4>\n

Keeping up with patching is one of the best defenses. Keep operating systems and web browsers fully patched, and ensure that third-party patches are applied as soon as possible.<\/p>\n

In addition, administrators can ensure that compromised websites hosting malicious content are kept away from end-users by filtering web traffic at the network level. This can be done at URL level or at domain level.<\/p>\n

The exploit targets an Internet Explorer releases 9 and 10 vulnerability using Adobe Flash. It will abort if it detects presence of Microsoft\u2019s Experience Mitigation Toolkit (EMET). To avoid infection, install the EMET, upgrade to Internet Explorer 11 and disable Adobe Flash.<\/p>\n

ATTACK-SPECIFIC RECOMMENDATIONS<\/h4>\n

Infoblox DNS Firewall is an application run on an Infoblox DNS server. It will disrupt \u00a0communication by not resolving DNS queries for botnets and CnC servers. All resolved DNS queries are compared to a continually updated table of \u2018bad\u2019 domains and IP addresses with which communication should not be allowed. Resolved DNS queries to malicious domains and IP addresses are either blocked or redirected.<\/p>\n

Infoblox DNS Firewall blocks resolution to IP address 118.99.60.142. Based on other domains resolving to the same IP 118.99.60.142, the following IPs were identified as potential CnC servers. These IP addresses and domains are also blocked by DNS Firewall:<\/p>\n