Independent research from several security firms provides increasing evidence that the Internet Explorer zero-day vulnerability just closed by Microsoft was being exploited by a professional for-hire team of hackers based out of China or sold by a "cyber arms dealer".
Called "the diskless 9002 RAT" by FireEye and assigned the common vulnerabilities and exposures identifier CVE-2013-3918, the vulnerability was known to be exploited in the wild, but not acknowledged by Microsoft until November 11 when it announced that it would be patched the next day.
The same Bit9 compromise was also the work of Chinese for-hire hacking team dubbed Hidden Lynx, according to Symantec. Providing further evidence that Hidden Lynx has been exploiting the latest zero-day is Symantec's discovery that the attack used a command and control server known to be operated by the group. The IP address of this server matches FireEye's reports, providing two separate accounts of the same group at work.
Symantec has taken the approach that several other attacks have been conducted by the one group, and it's easy to see why: FireEye notes that in many attacks the same malware tools, elements of code, binaries with shared timestamps, and the same stolen digital certificates are used. However, FireEye has since re-examined the evidence from several seemingly-related attacks to come to a different conclusion.
In a FireEye report, "Supply Chain Analysis: From Quartermaster to Sunshop", which examines the account of 11 advanced persistent threats thought to be linked, the company considers that the most likely explanation for similarities between attacks is the use of a shared development and logistics operation supporting attack campaigns.
"This development and logistics operation is best described as a 'digital quartermaster.' Its mission: supply and maintain malware tools and weapons to support cyber espionage. This digital quartermaster also might be a cyber arms dealer of sorts, a common supplier of tools used to conduct attacks and establish footholds in targeted systems," the report read.
It has a high level of confidence that this is the case and stated it has low confidence in the view that the attack campaigns were the result of one sophisticated group.
"This scenario is less likely because each cluster of activity utilised malware samples with different artifacts such as passwords, campaign identifiers, and mutexes. These artifacts were generally consistent within each cluster of activity but differed across clusters."
The zero-day vulnerability has now been patched in Microsoft's Patch Tuesday rollout.