Status Tracking Note JVNTR-2010-06

Malicious Activity Associated with "Aurora" Internet Explorer Exploit (TA10-055A)

Overview

Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.
Event Information


Date (UTC)Description
2010-02-25 00:30 US-CERT
TA10-055A: Malicious Activity Associated with "Aurora" Internet Explorer Exploit
Via US-CERT Mailing List
2010-01-22 02:28 JPCERT/CC
JPCERT-AT-2010-0004: Zero-day Vulnerability in Microsoft Internet Explorer
2010-01-21 23:24 Microsoft
ms10-jan: Microsoft Security Bulletin Summary for January 2010 (MS10-002)
Included in this advisory are updates for newly discovered vulnerabilities.
2010-01-21 21:21 Microsoft
Microsoft Security Advisory (979352): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-002 to address this issue.
2010-01-21 20:54 US-CERT
TA10-021A: Microsoft Internet Explorer Vulnerabilities
Via US-CERT Mailing List
2010-01-21 17:57 US-CERT
Microsoft Releases Cumulative Security Update for Internet Explorer
US-CERT Current Activity
Microsoft has released Security Bulletin MS10-002 as a Cumulative Security Update for Internet Explorer. This update addresses multiple vulnerabilities that when exploited, may allow an attacker to execute arbitrary code.
2010-01-21 Symantec
The Trojan.Hydraq Incident: Analysis of the Aurora 0-Day Exploit
Security Response Blog
This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.
2010-01-20 21:14 Microsoft
ms10-jan: Microsoft Security Bulletin Advance Notification for January 2010 (out-of-band)
This is an advance notification of one out-of-band security bulletinthat Microsoft is intending to release on January 21, 2010.
2010-01-19 21:16 Symantec
ThreatCON (2) => (2)
The ThreatCon is at level 2. Microsoft has released a security advisory and mitigation for a new unpatched vulnerability affecting Internet Explorer.
2010-01-19 07:58 Trend Micro
Cyber Attacks on Google and Others?Who Is Really at Risk?
TrendLabs | Malware Blog - by Trend Micro
2010-01-18 08:01 JPCERT/CC
JPCERT-AT-2010-0004: Zero-day Vulnerability in Microsoft Internet Explorer
2010-01-15 21:35 SANS Internet Storm Center
Exploit code available for CVE-2010-0249
The details for CVE-2010-0249 aka Microsoft Security Advisory 979352 (http://www.microsoft.com/technet/security/advisory/979352.mspx) aka the Aurora exploit has been made public. It is a vulnerability in mshtml.dll that works as advertised on IE6 but if DEP is enabled on IE7 or IE8 the exploit does not execute code.
2010-01-15 17:29 McAfee
"Aurora" Exploit In Google Attack Now Public
McAfee Security Insights Blog
Computer code that exploits a yet-to-be-patched vulnerability in Internet Explorer is now publicly available on the Internet.
2010-01-15 13:36 The Metasploit Project
Internet Explorer "Aurora" Memory Corruption
Vulnerability Proof Of Concept (CVE-2010-0249)
#Cid: ms10_002_aurora.rb
2010-01-15 CERTA (Centre d'Expertise Gouvernemental de Reponse et de Traitement des Attaques informatique)
Vulnerabilite dans Microsoft Internet Explorer
2010-01-15 BSI (Bundesamt fur Sicherheit in der Informationstechnik)
Kritische Sicherheitslucke im Internet Explorer
2010-01-15 Bugtraq
Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability
Vulnerability Proof Of Concept (CVE-2010-0249)
#Cid: 37815.py
#Tested: cpe:/o:microsoft:windows_xp::sp2 + cpe:/a:microsoft:ie:6
2010-01-14 23:54 Microsoft
Microsoft Security Advisory (979352): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Advisory published.
Microsoft is investigating new public reports of a vulnerability in Internet Explorer.
2010-01-14 22:49 US-CERT
Microsoft Releases Security Advisory 979352
US-CERT Current Activity
Microsoft has released Security Advisory 979352 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to execute arbitrary code. Microsoft also indicates that it is aware of public, active exploitation of this vulnerability.
2010-01-14 22:19 SANS Internet Storm Center
0-day vulnerability in Internet Explorer 6, 7 and 8
Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer.
2010-01-14 20:48 McAfee
More Details on "Operation Aurora"
Computer Security Research - McAfee Labs Blog
Earlier today, George Kurtz posted an entry, 'Operation "Aurora" Hit Google, Others', on the McAfee's Security Insight blog. The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.
2010-01-14 15:34 McAfee
Operation "Aurora" Hit Google, Others
McAfee Security Insights Blog
McAfee Labs has been working around the clock, diving deep into the attack we are now calling Aurora that hit multiple companies and was publicly disclosed by Google on Tuesday.
2010-01-13 McAfee
Exploit-Comele
2010-01-12 12:00 Google
A new approach to China
2010-01-11 14:59 Symantec
Trojan.Hydraq

Reference

Date first published (UTC): 2010-03-13T07:32+00:00
Date last updated (UTC): 2010-03-13T07:32+00:00
Valid HTML 4.01!