Zero-day vulnerability in Microsoft Internet Explorer

Memory corruption
CVE-2016-0189

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Known malware:

Exploit kit: Magnitude, Neutrino, RIG, Sundown.

Vulnerability details

Advisory: SB2016051003 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2016-0189

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

CNACOM campaign

The campaign mainly targeted Taiwanese organizations and supposedly has Chinese origin.

Public Exploits:

External links:

http://theori.io/research/cve-2016-0189
https://github.com/theori-io/cve-2016-0189
https://technet.microsoft.com/library/security/MS16-053
https://technet.microsoft.com/library/security/ms16-051
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
https://www.symantec.com/security_response/writeup.jsp?docid=2016-061306-3604-99
https://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-sout...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70147
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2016-patch-tuesday-fixes-browser-scri...
https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
https://www.virusbulletin.com/blog/2017/01/paper-journey-and-evolution-god-mode-2016-cve-2016-0189/
http://www.securityweek.com/microsoft-patches-flaws-exploited-targeted-attacks
http://sensorstechforum.com/may-2016-patch-tuesday-cve-2016-0189-kb3155533-kb3156764/
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise
http://forensicblogs.com/tag/cve-2016-0189/
https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/
http://securityaffairs.co/wordpress/49383/cyber-crime/neutrino-ek-ie-flaw.html
http://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc
http://www.cybersecurity-review.com/internet-explorer-zero-day-exploit-used-in-targeted-attacks-in-s...
http://www.zdnet.com/article/south-korea-victim-of-internet-explorer-zero-day-vulnerability/
http://thecharlestendellshow.com/experts-published-ie-exploit-code-and-crooks-added-it-to-neutrino-e...
https://cybernewsgroup.co.uk/ie-exploit-added-to-neutrino-after-experts-publish-poc/
http://www.networkworld.com/article/3068505/microsoft-fixes-actively-attacked-ie-flaw-and-50-other-v...
https://www.scmagazine.com/patch-tuesday-microsoft-rolls-out-16-bulletins-eight-rated-critical/artic...
http://news.redpiranha.net/Landing-Page-Containing-CVE-2016-0189-Exploit-Code-Used-to-Target-Taiwane...
http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent-wave-of-pos-attacks...
https://securityintelligence.com/news/proof-of-compromise-new-neutrino-exploit-runs-on-research/
https://www.grahamcluley.com/neutrino-exploit-kit-adds-zero-day-flaw-arsenal/

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.