The same team that hacked defense and chemical companies may be behind a recent zero day exploit.
A new zero day exploit has been discovered, and it affects Internet Explorer 7, 8 and 9 as well as older machines using XP, Vista and Windows 7. In other words it can hit millions of machines across the planet, and Microsoft has released free security software as a stopgap while it works on a more significant solution. It would seem that the ones who originated the exploit may be linked to the Nitro group that was very active late last year.
The zero day exploit was first revealed by Eric Romang, who discovered it as it infected his PC. At the time he had been "monitoring some of the infected servers used by the alleged Nitro gang." According to Romang, as soon as the hackers realized that their cover had been blown they removed all the exploit files from their source server. "The guys how developed this new 0day were not happy to have been catched ... But also more interesting the also removed a Java 0day variant from other folders." That suggests there was something else hidden away which Romang's activities inadvertently exposed, possibly linked to a Java-related zero day that was uncovered late August 2012.
The Nitro group, when it surfaced last year, was interested in military, government and chemical industry targets. According to Symantec "[the] attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes." Some of the attacks were traced back to a Chinese server, and it was thought at the time that the user - operating under the name Covert Grove - may have been significantly involved in the hack.
A zero day attack is called that because the attack exploits a previously unknown vulnerability in the system, so that the attack occurs on "day zero" of awareness of the problem. Though Symantec and other antivirus companies have released defensive updates for this IE exploit, they may not be sufficient. Liam O Murchu, research manager for Symantec, pointed out that "the danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defences we have in place."