Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:43 PM
Connect Directly

New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs

Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit

Widespread attacks are under way using a weaponized reliable Java exploit that relies on not one, but two zero-day exploits.

The Java exploit was originally used for targeted attacks to push remote access Trojans onto a victim's machine when it first went public, but this week was hurriedly added to the popular BlackHole crimeware kit, making it easily available to all types of cybercriminals. "When it got merged into BlackHole, it started to push malware of a more traditional type, like banking Trojans [and] Zeus variants," says Patrik Runald, director of security research for Websense.

At least 100 domains are now serving up the exploit, according to estimates by Websense and other researchers, 83 percent of which are located in the U.S., according to Websense. And so far, the number of infected hosts is in the tens of thousands range, according to Seculert's latest data.

"Usually, a good exploit kit like BlackHole has a success rate of around 10% for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25% success rate," Seculert said in a blog post today. "Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99% successful."

Initial reports were that the exploit was based on a single zero-day vulnerability in Java, but Immunity researcher Esteban Guillardoy dug deeper and discovered that it's actually using two previously unknown flaws in Java JDK/JRE 7 through Java JDK/JRE 7 update 6 versions.

"When working our way through each step this exploit performed, we realized there were two different bugs chained together, cleverly used in order to exploit a target. These two bugs [used] alone are not enough to exploit a target, and this is where the sun.awt.SunToolkit class comes in place together with the Statement class," Guillardoy says of the attack. "The attackers chained the two bugs to be able to work with the sun.awt.SunToolkit class that is restricted to applets in order to be able to access and set private fields on any class, and figured out that they could use this to change the Statement AccessControlContext and get full privileges."

[ After making their code harder to reverse-engineer, exploit kits are now focusing on improving attacks. See Crimeware Developers Shift To More Obfuscation, Java Exploits. ]

"Reliable" has been one of the main adjectives used to describe this exploit thus far. "It's the way the vulns work that make this particular [attack] very reliable," Runald says. "Sometimes you see 0days and vulns that are less easy to exploit and use for live attacks ... This particular [one] is very solid from the attacker point of view: It works every time if the right verison of Java is there."

Immunity's Guillardoy says both "the beauty and the danger" of this attack is that it's multiplatform and 100 percent reliable. "In [Immunity] CANVAS, we wrote an exploit that works with a 100% accuracy on Windows, Linux, and OS X without adding an extra line of code. Based on the Java website, 930 million Java Runtimes are downloaded each year, and 3 billion mobiles phones run Java. Moving the exploit to mobiles, smart TVs, etc., is very simple," he says.

No word yet from Oracle on mitigations or patches for the flaws, but some security experts say the bugs are fairly straightforward and basically abuse the way Java operates. "They are straightforward because it is not like your typical memory corruption having to jump through a bunch of OS security prevention measures. Rather, this is really almost as simple as taking advantage of functionality in Java just as any normal programmer would," says Marc Maiffret, CTO at BeyondTrust.

The attack is basically a combination of two vulnerabilities, but mainly it's an implementation flaw. "It is a bit of both, but essentially it is more of an implementation flaw that [Oracle] should have caught," Maiffret says. "Rather than a design flaw, such as older SQL injection, [this] is an overall architecture type of issue."

What's unusual is that two bugs were used to exploit Java, which is known for its bugs. "There have been a few vulnerabilities in software lately that seem to require multiple different bugs when combined together that can lead to overall code execution. Typically, when multiple bugs are combined for one exploit, it is in more secure software, such as Chrome, that has a lot of security layers that need to be bypassed," Maiffret says. "You typically do not have to work that hard with something like Java to exploit it, as Oracle seems to love continuing to be terrible at securing their products."

Security experts say attackers are likely to be spamming out email lures or malicious URLs for the initial stage of infection.

There are ways to defend against the attack: "Now that it went from use in a targeted fashion to mass exploitation, we encourage everyone, if you can't uninstall Java, at least disable it," Websense's Runald says. "Because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days."

The attack works across the latest versions of Windows, Linux, and OS X platforms, as well as Firefox, Internet Explorer, and Safari.

Maiffret says because there has been a steady stream of Java bugs, there are some best practices organizations can adopt, such as ensuring that only systems that need Java have it installed. "Once you have determined systems that actually need Java, determine which of those systems are using Java for Internet facing-applications versus desktop/internal applications. You can then configure Java on systems that do not need it for Internet applications to only function for local sites/apps versus Internet applications," he says.

That can reduce the Java attack surface. "The real problem is Java is a massive ugly attack surface that most people are exposing on their systems when, in reality, they do not need to be," Maiffret says. "There are, of course, some systems that do need Java, so I do not think a general 'disable Java' is always going to work."

Says Immunity's Guillardoy: "We took this Java bug class very seriously because, without effort, you are able to compromise thousands of computers and devices around the world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.