Zero-day exploit infects European aeronautical parts supplier's website

SophosLabs alerts users about an as-yet un-patched security vulnerability in Microsoft software. SophosLabs reveals that the website of a European aeronautical parts supplier has been hacked and a malicious attack planted on the website exploits zero-day Microsoft security vulnerability. The website’s name is not disclosed due to the sensitivity of the situation.

Hack to protest (Image Credit: Getty Images)

Sophos alerts users... (Image Credit: Getty Images)


A Sophos customer attempted to visit the affected website, and received a warning message that a file on the site was infected by code, which attempts to exploit vulnerabilities in Microsoft XML Core Services. This allowed Remote Code Execution - a vulnerability known as CVE-2012-1889 that is linked to recent warnings from Google about 'state-sponsored attacks.’
Graham Cluley, Senior Technology Consultant at Sophos, said, "One way that hackers break into large companies and organizations is to target their supply chain.  It's reasonable to speculate that whoever was behind this attack actually had bigger fish to fry - the type of businesses that regularly visit the websites of aeronautical suppliers, such as defence companies. The theory goes that rather than try to hack a company which may have robust security practices and security teams, the bad actor can instead attack a smaller supplier who are less well placed to notice the security breach."
The report further claims that all versions of Windows are vulnerable, be it Windows XP, Windows Vista or Windows 7.  Moreover, all supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable. There is not yet an official patch from Microsoft. However, the company recommends that Internet Explorer and Microsoft Office users immediately install a Fix it solution downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company issues an official fix.
Graham Cluley, Senior Technology Consultant at Sophos, added further, "Don't underestimate the seriousness of this vulnerability. It's being actively exploited in the wild, and there is currently no patch available for it.  As a result, Sophos has raised its threat level rating to its highest level - 'Critical'.  Sophos does provide protection against the exploit - but the best solution of all would be to have a proper fix from Microsoft.  And for now, at least, we're waiting to see when that's going to appear."
Recently, we had seen the Flame virus, which was also said to be state sponsored. Moreover, a Microsoft bug allowed the Flame virus to access PCs. The Flame virus exploited the bug and disguised itself as a genuine Microsoft file. The virus is capable of copying whatever you enter on the keyboard and viewing on the computer screen. On infecting a system, it begins with its set of complex operations, which is inclusive of sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and even monitoring the display. The information is then sent to a network of command-and-control servers located in many different parts of the world. It was called the most sophisticated and powerful virus ever created.

Published Date: Jun 27, 2012 11:36 am | Updated Date: Jun 27, 2012 11:36 am