The flaw in Microsoft Corp's IE 10 Web browser was reported on Thursday, days after it was used inside the Web page of nonprofit U.S. group Veterans of Foreign Wars. The VFW said Friday that an unspecified federal law enforcement agency is investigating and that the malicious code on its site had been removed.
Security firm Websense Inc said it found similar attack code on a page set up on Jan. 20 with a Web address nearly identical to one used by a French aerospace association.
That suggests the attacks using the flaw have been going on for at least three weeks, but might have succeeded earlier against higher-value targets and escaped discovery, said Websense Director of Security Research Alexander Watson.
FireEye Inc, which discovered the VFW attack, said it appeared connected to previous attacks against the Japanese financial sector, security firm Bit9 and others that Symantec Corp security researchers attributed to a large and well-organized group in China. ()
The latest attacks are considered to be sophisticated as they rely on a previously unknown flaw of a sort that can cost $50,000 or more when sold by shadowy brokers to government agencies or contractors. The industry calls these flaws "zero-day vulnerabilities."
They also seem part of a multistage operation, with the attackers seeking to break into the computers of U.S. veterans or French defense contractors in the future. Once there, they could look
Although the initial report in the new campaign mentioned only IE 10, Microsoft said it had determined that IE 9 is also vulnerable.
"We recommend customers upgrade to Internet Explorer 11 for added protection," said Adrienne Hall, general manager of Microsoft's Trustworthy Computing Group.
Despite the use of the unknown flaw, Websense's Watson said the attacks were not that hard to spot. For one thing, a program that exploited the flaw was submitted on Jan. 20 to Virus Total, a free Google Inc service that shows whether any major antivirus provider would block the sample. In this case, none did. In addition, the programming language operated in the open, without complicated obfuscation that can deter analysis.
Watson said that was why he felt the attacks could prove to be by a new group, or even two different new groups. As an example, the exploit code might have been written elsewhere, and used with more success, then passed along to a new group with less expertise.
The French page that was imitated is GIFAS, which claims more than 300 members, including contractors making satellites, missiles and other arms, as well as helicopters, military planes and engines.
Links to the fake page might have been sent via email to industry officials.
In the VFW's case, the hackers broke into the real Web page and inserted code shown to visitors that would lead to infection if they were using the right version of IE. FireEye said hundreds or thousands of infections occurred.
VFW spokeswoman Randi K. Law said the nonprofit group was working with law enforcement and private security incident responders.
"At this point, there is no indication that any member or donor data was compromised," she said in an email.
It was unclear whether that statement referred to the computers of website visitors or merely data stored by the VFW itself, and she did not respond to follow-up questions.
The FBI did not return a call seeking comment.