Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/29/2012
03:43 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs

Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit

Widespread attacks are under way using a weaponized reliable Java exploit that relies on not one, but two zero-day exploits.

The Java exploit was originally used for targeted attacks to push remote access Trojans onto a victim's machine when it first went public, but this week was hurriedly added to the popular BlackHole crimeware kit, making it easily available to all types of cybercriminals. "When it got merged into BlackHole, it started to push malware of a more traditional type, like banking Trojans [and] Zeus variants," says Patrik Runald, director of security research for Websense.

At least 100 domains are now serving up the exploit, according to estimates by Websense and other researchers, 83 percent of which are located in the U.S., according to Websense. And so far, the number of infected hosts is in the tens of thousands range, according to Seculert's latest data.

"Usually, a good exploit kit like BlackHole has a success rate of around 10% for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25% success rate," Seculert said in a blog post today. "Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99% successful."

Initial reports were that the exploit was based on a single zero-day vulnerability in Java, but Immunity researcher Esteban Guillardoy dug deeper and discovered that it's actually using two previously unknown flaws in Java JDK/JRE 7 through Java JDK/JRE 7 update 6 versions.

"When working our way through each step this exploit performed, we realized there were two different bugs chained together, cleverly used in order to exploit a target. These two bugs [used] alone are not enough to exploit a target, and this is where the sun.awt.SunToolkit class comes in place together with the Statement class," Guillardoy says of the attack. "The attackers chained the two bugs to be able to work with the sun.awt.SunToolkit class that is restricted to applets in order to be able to access and set private fields on any class, and figured out that they could use this to change the Statement AccessControlContext and get full privileges."

[ After making their code harder to reverse-engineer, exploit kits are now focusing on improving attacks. See Crimeware Developers Shift To More Obfuscation, Java Exploits. ]

"Reliable" has been one of the main adjectives used to describe this exploit thus far. "It's the way the vulns work that make this particular [attack] very reliable," Runald says. "Sometimes you see 0days and vulns that are less easy to exploit and use for live attacks ... This particular [one] is very solid from the attacker point of view: It works every time if the right verison of Java is there."

Immunity's Guillardoy says both "the beauty and the danger" of this attack is that it's multiplatform and 100 percent reliable. "In [Immunity] CANVAS, we wrote an exploit that works with a 100% accuracy on Windows, Linux, and OS X without adding an extra line of code. Based on the Java website, 930 million Java Runtimes are downloaded each year, and 3 billion mobiles phones run Java. Moving the exploit to mobiles, smart TVs, etc., is very simple," he says.

No word yet from Oracle on mitigations or patches for the flaws, but some security experts say the bugs are fairly straightforward and basically abuse the way Java operates. "They are straightforward because it is not like your typical memory corruption having to jump through a bunch of OS security prevention measures. Rather, this is really almost as simple as taking advantage of functionality in Java just as any normal programmer would," says Marc Maiffret, CTO at BeyondTrust.

The attack is basically a combination of two vulnerabilities, but mainly it's an implementation flaw. "It is a bit of both, but essentially it is more of an implementation flaw that [Oracle] should have caught," Maiffret says. "Rather than a design flaw, such as older SQL injection, [this] is an overall architecture type of issue."

What's unusual is that two bugs were used to exploit Java, which is known for its bugs. "There have been a few vulnerabilities in software lately that seem to require multiple different bugs when combined together that can lead to overall code execution. Typically, when multiple bugs are combined for one exploit, it is in more secure software, such as Chrome, that has a lot of security layers that need to be bypassed," Maiffret says. "You typically do not have to work that hard with something like Java to exploit it, as Oracle seems to love continuing to be terrible at securing their products."

Security experts say attackers are likely to be spamming out email lures or malicious URLs for the initial stage of infection.

There are ways to defend against the attack: "Now that it went from use in a targeted fashion to mass exploitation, we encourage everyone, if you can't uninstall Java, at least disable it," Websense's Runald says. "Because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days."

The attack works across the latest versions of Windows, Linux, and OS X platforms, as well as Firefox, Internet Explorer, and Safari.

Maiffret says because there has been a steady stream of Java bugs, there are some best practices organizations can adopt, such as ensuring that only systems that need Java have it installed. "Once you have determined systems that actually need Java, determine which of those systems are using Java for Internet facing-applications versus desktop/internal applications. You can then configure Java on systems that do not need it for Internet applications to only function for local sites/apps versus Internet applications," he says.

That can reduce the Java attack surface. "The real problem is Java is a massive ugly attack surface that most people are exposing on their systems when, in reality, they do not need to be," Maiffret says. "There are, of course, some systems that do need Java, so I do not think a general 'disable Java' is always going to work."

Says Immunity's Guillardoy: "We took this Java bug class very seriously because, without effort, you are able to compromise thousands of computers and devices around the world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21196
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21197
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.