A breach of the Veterans of Foreign Wars website, a site frequently visited by veterans and current military personnel, could have been compromised in a way that would allow criminals to take control of military service member computers through a newly discovered vulnerability in the Internet Explorer 10 browser, according to research from network security company FireEye.
In a blog post this week, FireEye described the attack it calls “Operation SnowMan”, timed around snowstorms in the Eastern US that might lead military personnel – on a “snow day” – to log into sensitive systems from home without the proper security in place. “A possible objective in the SnowMan attack is targeting military service members to steal military intelligence,” wrote FireEye.
After compromising the VFW website, the attackers added an iframe into the beginning of the website’s HTML code that loads the attacker’s page in the background, running a Flash object that orchestrates the remainder of the exploit.
SnowMan uses a vulnerability in IE 10 (with Adobe Flash) that enables a drive-by download (on the VFW website) to install a remote access tool that can be used to take control of a computer, siphon off sensitive information, or even install more malware.
As Re/code’s Arik Hesseldahl notes, “The target of the attack is likely active duty personnel working in Washington, D.C., say at the Pentagon, who might sign into the VFW site from home over the long weekend, and then later try to sign into work or personal email accounts or VPNs from the same machine.”
FireEye notes that users can immunize their system from this risk by updating IE or installing Microsoft’s Experience Mitigation Toolkit (EMET).