How Security Researchers Foiled An Internet Explorer Nightmare

In late April, researchers at security firm FireEye found a massive security flaw in Internet Explorer exposing millions to having their private data stolen. Here's the story of how they sprung into action with Microsoft.

Late in the afternoon on Friday, April 25, a Microsoft response team received some very unwelcome news. Staffers at FireEye, a large enterprise security firm, called and emailed them to say they were witnessing a highly unusual attack. Unknown perpetrators were using a security hole in nearly every version of Internet Explorer to hack carefully selected computers. The attack was deliberate, smart, and caused a media uproar. And, as of press time, the security hole that allowed the attack still hasn't been fully patched.

FireEye has given Fast Company an exclusive look inside the day it discovered what Internet security expert Brian Krebs called “a previously unknown security flaw in every supported version of Internet Explorer.” The attack appears to be at the center of a sophisticated criminal and/or state-supported hacker strike on a variety of industries. Fast Company has reported extensively on the work of FireEye's Mandiant division before, especially in researching the spies and crime rings behind cyberattacks. Mandiant, which helped uncover the IE flaw, was acquired by FireEye this past January in a billion-dollar acquisition. On May 6, the company also acquired forensics firm nPulse for $70 million.

The news of the security hole, called a "zero day" because hackers typically discover and exploit them the same day, came at a very bad time for Microsoft. The cybersecurity world was rocked just a few weeks earlier by news of the Heartbleed bug, a massive security hole in a popular encryption platform. But while Heartbleed does not appear to have been exploited on a large scale, the Internet Explorer attack was used in a very deliberate manner.

Matthew Fowler of FireEye told me that “we saw 10 different companies infected in different industries with different iterations of campaigns for this zero-day exploit. The actors behind it have very specific goals in mind in terms of data and who they want to acquire it from, and the companies infected in general received phishing campaigns that sent messages to hundreds of users at each client, rather than just one.” People who fell victim to this particular exploit could have hackers gain access to their hard drives, and all the sensitive and private information they contain. FireEye declined to give more information on the companies and industries targeted in the Internet Explorer attack.

For more information on the vulnerability in Internet Explorer and the risks currently extant, both Microsoft and FireEye have published extensive blog posts on the newly discovered zero day. In the meantime, here is an oral history of the Friday the attack was discovered from the FireEye and Mandiant researchers who worked late into the night to figure out exactly what was happening:

Zheng Bu, vice president, FireEye Research Labs: “At the beginning, the first indication of this attack was from the managed defense service team by FireEye where we monitor subscriber systems and network traffic to identify suspicious activity. One of our personnel noticed a possible attack and escalated it, sending our Incident Response team to investigate. Our incident responders got into this case and after manual analysis of the attack and network traffic, were able to confirm this was an attack.

On our back end, we had previously built out a system called the FireEye Labs Zero Day Discovery Center, which is a process/workflow/cross-system array that automatically analyzes potential malicious objects. We immediately realized this would be an important one, because this particular attack, a zero-day exploit, affected Internet Explorer 6-11. That was Friday night, after hours. We reported it to Microsoft, whose security response center acknowledged the submission, and worked together with us to verify.

This collaboration was impressive in terms of speed and response because Microsoft sent back their confirmation around midnight Friday. After that, Microsoft and FireEye worked together on mitigation.”

Example of FireEye's attack map platform. Courtesy FireEye.

Matthew Fowler, incident handler at FireEye: “I was looking at suspicious activity we saw on Friday from two clients, and tried to work backwards from machines we identified as being infected through a backdoor. We wanted to identify traffic we saw from these systems prior to the suspicious traffic (for forensics), and we found some similarities in web traffic, and then I met with a colleague who was doing some response work for one of the affected customers. We were looking at it from the intelligence side, and working to see if anything could be done from the end-point evaluation side to look at web traffic that could lead us to the exploit.”

Christopher Glyer, technical director at FireEye: Some of our technical team alerted us in the Incident Response team of this backdoor causing suspicious traffic, which had some indications a zero day was behind it. Whenever this happens with a client, our first inclination is to answer questions...What is it, how did it get there, when did it get there?

With some leads from that and a few other sources we pulled on Friday night, forensic data from a host, and evidence that lined up with what Matt was seeing, that pointed to JavaScript and Adobe Shock Flashwave files as an infection vector.”

Fowler: “We engaged in threat intelligence. That meant tracking the campaigns, and finding the thing that triggers users to go to sites that have the exploit. We found four different themes for this attack, which appeared to have taken place through spear-phishing (receiving an email that appears to be from a person or company you know). We saw that these spear-phishing emails were sent to a number of clients, and that they contained hyperlinks that send users to an exploit site.

On the intelligence side we looked at the industries and clients being targeted, and we tried to identify similarities across the board that help us understand at a technical level how these backdoors are being delivered.

During our investigation on Friday we found that an Internet Explorer exploit was enabling them to execute on compromised machines.”

Glyer: “When I pulled forensic data from the host, I was able to see the URLs a person clicked on or went into. We started when this alert started, I looked at the files they opened, how they accessed it with their web browser. Some of these stood out because the files were atypical in a pattern of what the users were looking at, and it aligned with the spear-phishing campaign themes Matt mentioned. Around that time, we saw a set of files created in the browser history cache. We identified these when the alert started, saw cache files and other files that made up exploit. I packaged them up, sent them to other individuals on my team who then did initial analysis on the exploit.”

Fowler: “Triage analysis found it was a similar approach to other IE exploits we saw that combine Flash objects with a heat spray, which sprays attackers' code into the memory of a system, and then uses Java to exploit a vulnerability in Internet Explorer. It was similar in approach to attacks we saw previously, but not the same. We sent this to our vulnerability research team at our Zero Day Center, who took it from there.”

Yichong Lin, manager of Vulnerability Research, FireEye: “The Managed Defense and Incident Response teams wanted to know if this was a new attack, which is where my group comes in. We broke it up right away. Dan Caselden and a colleague, Xiaobo Chen, worked side by side to show the code execution on a new and fully patched system. We did code execution to show it was a zero-day exploit, and we got in touch with Microsoft. Dan Caselden worked on minimizing our sample into a small proof of concept, which we then sent to Microsoft. Meanwhile, Xiaobo began reversing the processes the exploit used to successfully execute malicious code on the victims’ machines and circumvent various security mitigations, gathering crucial information to aid vendors in developing fixes or updating their systems. They responded quickly late Friday night to put it away. One important thing is that this particular exploit bypassed known security protections in the Windows OS and was trying to download encrypted, malicious content from a website.”

Example of FireEye's attack map platform. Courtesy FireEye

Dan Caselden, senior malware researcher, FireEye: “The toolkit from this exploit is a Flash file that uses an IE vulnerability to get code execution. I can't say too much about it, but, despite seeing multiple versions of Flash-assisted IE exploits in their campaigns, the Flash files remain fundamentally similar and unique to the group. We do see modifications to functions and variables that indicate their code is evolving over time, making it cleaner and easier to use.”

Bu: “When we looked at the exploit, we realized it was a vulnerability that affects every single version of Internet Explorer after version 6. We had an internal discussion and realized we had to notify Microsoft immediately. This was after hours at 7 p.m. Friday Pacific time. We sent this discovery to Microsoft, and directly called Microsoft people. We tried hard to get their attention and we got it. Microsoft response teams got this email and my follow-up message. We helped them reproduce the problem and their team was really good. When it comes to dedication and effort, Microsoft was great--they worked into the late, late hours on Friday to send confirmation that it was a zero day. My team worked those same hours too.”

On May 1, Microsoft released a out-of-band release that addressed the security issues in Internet Explorer; the company requests that users apply the update as quickly as possible.

Correction: An earlier version of this article did not include the software update Microsoft released on May 1. In addition, the original date of discovery on April 25 was misidentified.

[Image: Flickr user Peter Castleton]

Add New Comment