Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:43 PM
Connect Directly

New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs

Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit

Widespread attacks are under way using a weaponized reliable Java exploit that relies on not one, but two zero-day exploits.

The Java exploit was originally used for targeted attacks to push remote access Trojans onto a victim's machine when it first went public, but this week was hurriedly added to the popular BlackHole crimeware kit, making it easily available to all types of cybercriminals. "When it got merged into BlackHole, it started to push malware of a more traditional type, like banking Trojans [and] Zeus variants," says Patrik Runald, director of security research for Websense.

At least 100 domains are now serving up the exploit, according to estimates by Websense and other researchers, 83 percent of which are located in the U.S., according to Websense. And so far, the number of infected hosts is in the tens of thousands range, according to Seculert's latest data.

"Usually, a good exploit kit like BlackHole has a success rate of around 10% for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25% success rate," Seculert said in a blog post today. "Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99% successful."

Initial reports were that the exploit was based on a single zero-day vulnerability in Java, but Immunity researcher Esteban Guillardoy dug deeper and discovered that it's actually using two previously unknown flaws in Java JDK/JRE 7 through Java JDK/JRE 7 update 6 versions.

"When working our way through each step this exploit performed, we realized there were two different bugs chained together, cleverly used in order to exploit a target. These two bugs [used] alone are not enough to exploit a target, and this is where the sun.awt.SunToolkit class comes in place together with the Statement class," Guillardoy says of the attack. "The attackers chained the two bugs to be able to work with the sun.awt.SunToolkit class that is restricted to applets in order to be able to access and set private fields on any class, and figured out that they could use this to change the Statement AccessControlContext and get full privileges."

[ After making their code harder to reverse-engineer, exploit kits are now focusing on improving attacks. See Crimeware Developers Shift To More Obfuscation, Java Exploits. ]

"Reliable" has been one of the main adjectives used to describe this exploit thus far. "It's the way the vulns work that make this particular [attack] very reliable," Runald says. "Sometimes you see 0days and vulns that are less easy to exploit and use for live attacks ... This particular [one] is very solid from the attacker point of view: It works every time if the right verison of Java is there."

Immunity's Guillardoy says both "the beauty and the danger" of this attack is that it's multiplatform and 100 percent reliable. "In [Immunity] CANVAS, we wrote an exploit that works with a 100% accuracy on Windows, Linux, and OS X without adding an extra line of code. Based on the Java website, 930 million Java Runtimes are downloaded each year, and 3 billion mobiles phones run Java. Moving the exploit to mobiles, smart TVs, etc., is very simple," he says.

No word yet from Oracle on mitigations or patches for the flaws, but some security experts say the bugs are fairly straightforward and basically abuse the way Java operates. "They are straightforward because it is not like your typical memory corruption having to jump through a bunch of OS security prevention measures. Rather, this is really almost as simple as taking advantage of functionality in Java just as any normal programmer would," says Marc Maiffret, CTO at BeyondTrust.

The attack is basically a combination of two vulnerabilities, but mainly it's an implementation flaw. "It is a bit of both, but essentially it is more of an implementation flaw that [Oracle] should have caught," Maiffret says. "Rather than a design flaw, such as older SQL injection, [this] is an overall architecture type of issue."

What's unusual is that two bugs were used to exploit Java, which is known for its bugs. "There have been a few vulnerabilities in software lately that seem to require multiple different bugs when combined together that can lead to overall code execution. Typically, when multiple bugs are combined for one exploit, it is in more secure software, such as Chrome, that has a lot of security layers that need to be bypassed," Maiffret says. "You typically do not have to work that hard with something like Java to exploit it, as Oracle seems to love continuing to be terrible at securing their products."

Security experts say attackers are likely to be spamming out email lures or malicious URLs for the initial stage of infection.

There are ways to defend against the attack: "Now that it went from use in a targeted fashion to mass exploitation, we encourage everyone, if you can't uninstall Java, at least disable it," Websense's Runald says. "Because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days."

The attack works across the latest versions of Windows, Linux, and OS X platforms, as well as Firefox, Internet Explorer, and Safari.

Maiffret says because there has been a steady stream of Java bugs, there are some best practices organizations can adopt, such as ensuring that only systems that need Java have it installed. "Once you have determined systems that actually need Java, determine which of those systems are using Java for Internet facing-applications versus desktop/internal applications. You can then configure Java on systems that do not need it for Internet applications to only function for local sites/apps versus Internet applications," he says.

That can reduce the Java attack surface. "The real problem is Java is a massive ugly attack surface that most people are exposing on their systems when, in reality, they do not need to be," Maiffret says. "There are, of course, some systems that do need Java, so I do not think a general 'disable Java' is always going to work."

Says Immunity's Guillardoy: "We took this Java bug class very seriously because, without effort, you are able to compromise thousands of computers and devices around the world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.