Zero-day vulnerability in Microsoft Internet Explorer

Memory corruption
CVE-2016-0189

Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.

Known malware:

Exploit kit: Magnitude, Neutrino, RIG, Sundown.

Vulnerability details

Advisory: SB2016051003 - Multiple vulnerabilities in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2016-0189

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Scripting Engine when handling malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

CNACOM campaign

The campaign mainly targeted Taiwanese organizations and supposedly has Chinese origin.

Public Exploits:

Latest references in media:

- Internet Explorer scripting engine becomes North Korean APT's favorite target in 2018 | ZDNet [2018-11-12 20:50:08]

- New CVE-2018-8373 Exploit Spotted [2018-09-26 16:10:16]

- New CVE-2018-8373 Exploit Spotted in the Wild [2018-09-25 14:40:18]

- US is the world's hotspot for malicious websites [2018-09-06 15:40:20]

- USA Is the Top Country for Hosting Malicious Domains According to Report [2018-09-05 16:20:30]

- USA Is the Top Country for Hosting Malicious Domains, Research Shows [2018-09-05 16:10:23]

- USA Is the Top Country for Hosting Malicious Domains, Research [2018-09-05 16:00:22]

- Dangerous Underminer Exploit Kit Delivers a Cryptocurrency-mining Malware and Bootkit [2018-07-30 12:50:50]

- Underminer Exploit Kit spreading Bootkits and cryptocurrency miners [2018-07-29 11:00:08]

- New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners [2018-07-28 16:40:17]

- New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel [2018-07-26 17:40:17]

- RIG Exploit Kit Leverage the Code Injection Technique to Mining Crypto-Currency [2018-07-03 04:50:50]

- Down but Not Out: A Look Into Recent Exploit Kit Activities [2018-07-02 16:00:19]

- RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique [2018-06-28 18:30:04]

- Exploit kits: Spring 2018 review [2018-06-19 05:41:20]

- Analysis of the evolution of exploit kits in the threat landscape [2018-06-14 09:10:09]

- Exploit Kits Target Recent Flash, Internet Explorer Zero-Days [2018-06-13 18:00:09]

- Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit [2018-06-03 09:36:36]

- Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner [2018-06-01 01:13:09]

- The King is dead. Long live the King! [2018-05-09 08:07:49]

- Microsoft Products Are Hackers’ Favorite — Report [2018-03-29 12:38:47]

- Attackers Shift From Adobe Flaws to Microsoft Products [2018-03-27 23:18:25]

- The Top Vulnerabilities Exploited by Cybercriminals [2018-03-27 17:40:51]

- New Web-Based Malware Distribution Channel ‘BlackTDS’ Surfaces [2018-03-14 23:41:22]

- RAT Distributed Via Google Drive Targets East Asia [2017-11-30 18:10:22]

- A Closer Look at North Korea’s Internet [2017-11-13 09:24:38]

- Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware [2017-11-13 09:24:38]

- Matrix Ransomware being distributed through malvertising [2017-10-29 15:00:15]

- Matrix Ransomware Being Distributed by the RIG Exploit Kit [2017-10-27 22:42:48]

- Malvertising Campaign Redirects Browsers To Terror Exploit Kit [2017-10-25 14:35:39]

- Magnitude EK Targets South Korea with Language-Specific Ransomware [2017-10-23 21:30:05]

- New Magniber Ransomware Targets South Korea, Asia Pacific [2017-10-21 16:00:06]

- Magniber Ransomware Wants to Infect Only the Right People [2017-10-19 23:40:02]

- New Magniber Ransomware Emerges [2017-10-19 19:11:19]

- Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware [2017-10-18 16:30:52]

- A Closer Look at North Korea’s Internet [2017-10-17 14:44:46]

- Exploit kits remain a cybercrime staple against outdated software – 2016 threat landscape review series [2017-01-23 23:37:34]

- Neptune exploit kit used to deliver Monero cryptocurrency miners via malvertising [2017-08-23 10:12:35]

- Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements [2017-08-23 00:02:54]

- Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit [2017-08-22 16:14:54]

- New Disdain Exploit Kit Detected in the Wild [2017-08-17 10:13:25]

- New "Disdain" Exploit Kit Spotted on Underground Forums [2017-08-15 14:50:54]

- New Disdain Exploit Kit Sold on Underground Hacking Forums [2017-08-15 00:00:21]

- ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer [2017-07-19 14:40:46]

- University College London Ransomware Linked to AdGholas Malvertising Group [2017-06-20 20:30:24]

- Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated [2017-01-20 17:28:50]

- New Terror Exploit Kit Emerges [2017-01-10 18:01:32]

- Two New Edge Exploits Integrated into Sundown Exploit Kit [2017-01-10 17:32:06]

- New, Poorly-Made Terror Exploit Kit Drops Monero Cryptocurrency Miner [2017-01-10 13:39:29]

- CVE-2016-7200 & CVE-2016-7201 Edge flaws added to the Sundown Exploit Kit [2017-01-10 10:41:11]

- CVE-2016-7200 & CVE-2016-7201 Edge flaws added to the Sundown Exploit Kit [2017-01-10 10:31:23]

- Edge Exploits Added to Sundown EK [2017-01-09 16:01:13]

- Sundown Exploit Kit now leverages on the steganography [2016-12-30 20:46:47]

- Sundown Exploit Kit Starts Using Steganography [2016-12-30 11:35:08]

- Updated Sundown Exploit Kit Uses Steganography [2016-12-29 09:04:39]

- Adobe Flash Player flaws remain the most used by Exploit Kits [2016-12-06 21:24:26]

- Flash Exploit Found in Seven Exploit Kits [2016-12-06 20:05:11]

- Flash Player Remains Main Target of Exploit Kits: Report [2016-12-06 16:44:11]

- Chinese hackers behind the CNACOM campaign hit Taiwan website [2016-12-06 08:14:44]

- China-Linked Spies Target Taiwan With IE Exploit [2016-12-05 13:43:29]

- Malware Tied to China Spotted Attacking Taiwanese Government Networks [2016-12-01 23:30:21]

- New Bizarro Sundown Exploit Kit Spreads Locky [2016-11-04 10:39:40]

- Caught on the Drive-by: Buhtrap Banking Malware Returns [2016-09-23 21:59:40]

- RIG Picks Up Where Neutrino Left Off, Pushes CrypMIC Ransomware [2016-09-21 15:34:36]

- Sundown Exploit Kit Outsources Coding Work [2016-09-05 16:10:20]

- RIG Developers Testing New Exploits, C&C Patterns [2016-09-05 10:10:13]

- Web pests pour two exploit kits into one cup [2016-08-17 08:37:38]

- World's worst exploit kit weaponises white hats' proof of concept code []

- Patched IE Zero Day Incorporated into Neutrino EK []

- Experts published IE Exploit code and crooks added it to Neutrino EK []

- IE Exploit Added to Neutrino After Experts Publish PoC []

- Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release []

- Adobe Patches Flash Zero-Day Exploited in the Wild []

- Internet Explorer Zero-Day Hits South Korea []

- Microsoft's May 2016 patches fix a boatload of vulnerabilities, including a zero-day []

- May 2016 Patch Tuesday Fixes Browser and Scripting Engine Flaws []

- Microsoft fixes actively attacked IE flaw and 50 other vulnerabilities []

- Microsoft fixes actively attacked IE flaw and 50 other vulnerabilities []

- Patch Tuesday Alert: Admins Urged to Fix Zero Day []

- Microsoft Patches Flaws Exploited in Targeted Attacks []

- May 2016 Patch Tuesday Fixes Browser and Scripting Engine Flaws []

- Microsoft Patches JScript, VBScript Flaw Under Attack []

External links:

http://theori.io/research/cve-2016-0189
https://github.com/theori-io/cve-2016-0189
https://technet.microsoft.com/library/security/MS16-053
https://technet.microsoft.com/library/security/ms16-051
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
https://www.symantec.com/security_response/writeup.jsp?docid=2016-061306-3604-99
https://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-sout...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70147
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2016-patch-tuesday-fixes-browser-scri...
https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
https://www.virusbulletin.com/blog/2017/01/paper-journey-and-evolution-god-mode-2016-cve-2016-0189/
http://www.securityweek.com/microsoft-patches-flaws-exploited-targeted-attacks
http://sensorstechforum.com/may-2016-patch-tuesday-cve-2016-0189-kb3155533-kb3156764/
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise
http://forensicblogs.com/tag/cve-2016-0189/
https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/
http://securityaffairs.co/wordpress/49383/cyber-crime/neutrino-ek-ie-flaw.html
http://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc
http://www.cybersecurity-review.com/internet-explorer-zero-day-exploit-used-in-targeted-attacks-in-s...
http://www.zdnet.com/article/south-korea-victim-of-internet-explorer-zero-day-vulnerability/
http://thecharlestendellshow.com/experts-published-ie-exploit-code-and-crooks-added-it-to-neutrino-e...
https://cybernewsgroup.co.uk/ie-exploit-added-to-neutrino-after-experts-publish-poc/
http://www.networkworld.com/article/3068505/microsoft-fixes-actively-attacked-ie-flaw-and-50-other-v...
https://www.scmagazine.com/patch-tuesday-microsoft-rolls-out-16-bulletins-eight-rated-critical/artic...
http://news.redpiranha.net/Landing-Page-Containing-CVE-2016-0189-Exploit-Code-Used-to-Target-Taiwane...
http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent-wave-of-pos-attacks...
https://securityintelligence.com/news/proof-of-compromise-new-neutrino-exploit-runs-on-research/
https://www.grahamcluley.com/neutrino-exploit-kit-adds-zero-day-flaw-arsenal/

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.