Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/29/2012
03:43 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs

Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit

Widespread attacks are under way using a weaponized reliable Java exploit that relies on not one, but two zero-day exploits.

The Java exploit was originally used for targeted attacks to push remote access Trojans onto a victim's machine when it first went public, but this week was hurriedly added to the popular BlackHole crimeware kit, making it easily available to all types of cybercriminals. "When it got merged into BlackHole, it started to push malware of a more traditional type, like banking Trojans [and] Zeus variants," says Patrik Runald, director of security research for Websense.

At least 100 domains are now serving up the exploit, according to estimates by Websense and other researchers, 83 percent of which are located in the U.S., according to Websense. And so far, the number of infected hosts is in the tens of thousands range, according to Seculert's latest data.

"Usually, a good exploit kit like BlackHole has a success rate of around 10% for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25% success rate," Seculert said in a blog post today. "Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99% successful."

Initial reports were that the exploit was based on a single zero-day vulnerability in Java, but Immunity researcher Esteban Guillardoy dug deeper and discovered that it's actually using two previously unknown flaws in Java JDK/JRE 7 through Java JDK/JRE 7 update 6 versions.

"When working our way through each step this exploit performed, we realized there were two different bugs chained together, cleverly used in order to exploit a target. These two bugs [used] alone are not enough to exploit a target, and this is where the sun.awt.SunToolkit class comes in place together with the Statement class," Guillardoy says of the attack. "The attackers chained the two bugs to be able to work with the sun.awt.SunToolkit class that is restricted to applets in order to be able to access and set private fields on any class, and figured out that they could use this to change the Statement AccessControlContext and get full privileges."

[ After making their code harder to reverse-engineer, exploit kits are now focusing on improving attacks. See Crimeware Developers Shift To More Obfuscation, Java Exploits. ]

"Reliable" has been one of the main adjectives used to describe this exploit thus far. "It's the way the vulns work that make this particular [attack] very reliable," Runald says. "Sometimes you see 0days and vulns that are less easy to exploit and use for live attacks ... This particular [one] is very solid from the attacker point of view: It works every time if the right verison of Java is there."

Immunity's Guillardoy says both "the beauty and the danger" of this attack is that it's multiplatform and 100 percent reliable. "In [Immunity] CANVAS, we wrote an exploit that works with a 100% accuracy on Windows, Linux, and OS X without adding an extra line of code. Based on the Java website, 930 million Java Runtimes are downloaded each year, and 3 billion mobiles phones run Java. Moving the exploit to mobiles, smart TVs, etc., is very simple," he says.

No word yet from Oracle on mitigations or patches for the flaws, but some security experts say the bugs are fairly straightforward and basically abuse the way Java operates. "They are straightforward because it is not like your typical memory corruption having to jump through a bunch of OS security prevention measures. Rather, this is really almost as simple as taking advantage of functionality in Java just as any normal programmer would," says Marc Maiffret, CTO at BeyondTrust.

The attack is basically a combination of two vulnerabilities, but mainly it's an implementation flaw. "It is a bit of both, but essentially it is more of an implementation flaw that [Oracle] should have caught," Maiffret says. "Rather than a design flaw, such as older SQL injection, [this] is an overall architecture type of issue."

What's unusual is that two bugs were used to exploit Java, which is known for its bugs. "There have been a few vulnerabilities in software lately that seem to require multiple different bugs when combined together that can lead to overall code execution. Typically, when multiple bugs are combined for one exploit, it is in more secure software, such as Chrome, that has a lot of security layers that need to be bypassed," Maiffret says. "You typically do not have to work that hard with something like Java to exploit it, as Oracle seems to love continuing to be terrible at securing their products."

Security experts say attackers are likely to be spamming out email lures or malicious URLs for the initial stage of infection.

There are ways to defend against the attack: "Now that it went from use in a targeted fashion to mass exploitation, we encourage everyone, if you can't uninstall Java, at least disable it," Websense's Runald says. "Because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days."

The attack works across the latest versions of Windows, Linux, and OS X platforms, as well as Firefox, Internet Explorer, and Safari.

Maiffret says because there has been a steady stream of Java bugs, there are some best practices organizations can adopt, such as ensuring that only systems that need Java have it installed. "Once you have determined systems that actually need Java, determine which of those systems are using Java for Internet facing-applications versus desktop/internal applications. You can then configure Java on systems that do not need it for Internet applications to only function for local sites/apps versus Internet applications," he says.

That can reduce the Java attack surface. "The real problem is Java is a massive ugly attack surface that most people are exposing on their systems when, in reality, they do not need to be," Maiffret says. "There are, of course, some systems that do need Java, so I do not think a general 'disable Java' is always going to work."

Says Immunity's Guillardoy: "We took this Java bug class very seriously because, without effort, you are able to compromise thousands of computers and devices around the world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.