New Zero-day Vulnerability Shares Links to Hidden Lynx

On November 11, Microsoft published a blog post about a new zero-day Microsoft Internet Explorer Unspecified Information Disclosure Vulnerability (BID 63629/CVE-2013-3918) affecting an Internet Explorer Active X Control, that had been publically disclosed on November 8. The blog states that this vulnerability is scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090 today through Windows Update at approximately 10:00AM PDT. As Symantec is part of the Microsoft Active Protections Program (MAPP), we are aware of this vulnerability and have the following protection in place for our customers:

Antivirus:
Bloodhound.Exploit.519

Intrusion Prevention System (IPS):
Web Attack: Internet Explorer CVE-2013-3918

Based on the information provided in the public disclosure around the use of this zero-day in a watering hole attack, Symantec has been able to link its use to a group, dubbed Hidden Lynx, whom we have previously detailed in a blog and whitepaper. Our research and analysis has shown that this latest attack shares a command and control (IP address 111.68.9.93) with the Hidden Lynx group and that samples referred to in the public disclosure are variants of Trojan.Naid, a threat known to be used by the Hidden Lynx group. The following infographic summarizes the key information about this prolific Hidden Lynx group.

HiddenLynx-Infographic.png

Symantec will continue to investigate this attack to ensure that the best possible protection is in place. As always, we recommend that users keep their systems up-to-date with the latest software patches. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

Leave a Reply