March 1, 2013

Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9.

The discovery of the Java zero-day is being co-credited to FireEye and CyberESI, two companies that specialize in tracking cyber espionage attacks. In its writeup, FireEye said multiple customers had been attacked using a newly-found flaw in the latest versions of Java — Java 6 Update 41, and Java 7 Update 15.

FireEye said the Java exploit used in this attack downloaded a remote access Trojan called McRat. This threat, also known as HiKit and Mdmbot.F, calls home to a malicious control server at the Internet address 110.173.55.187. Turns out, this is the same malware and control server that was used in the attack on Bit9, according to details that Bit9 released in a blog post this week documenting a sophisticated attack that resulted in a breach of its own systems last year.

Alex Lanstein, a senior security researcher at FireEye, said it’s unlikely in this case that multiple attack groups are using the same infrastructure and malware.

“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein said.

The discovery of the new Java zero-day comes just days after Oracle released an update to fix at least five security flaws in Java, flaws that were apparently used in attacks on Apple, Facebook, Twitter and at least 37 other companies.  At the beginning of February, Oracle pushed out an update that fixed some 50 other serious security problems in the widely-used program. Meanwhile, a team of Polish researchers has documented the presence of two other unfixed critical holes in the latest versions of Java 7.

Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin.


16 thoughts on “New Java 0-Day Attack Echoes Bit9 Breach

  1. Tim

    It’s worth noting that, unless Oracle changes its mind, a patch for Java 6.x will not be released to address this vulnerability as it is now EOL. See:

    https://www.java.com/en/download/faq/java_6.xml

    This means that businesses with v6.x dependencies are going to be extremely vulnerable from this point on.

      1. Stratocaster

        I’m sure it isn’t, but maybe the sheer force of public/user opinion will make Oracle change its mind regarding public Java 6.x security updates, as Microsoft has been forced to do on occasion in the past. Even though as a general rule Oracle doesn’t give a rat fart about public opinion — or even the opinions of its paying customers. If not, then some entrepreneurial sysadmin can create a nice little anonymous business.

        Those of us who use our personal machines from time to time to run woefully outdated corporate web apps remotely have earned the right to be the least gruntled. And I am.

      2. Jeremiah

        Oracle has pushed the EOL date for Java 6 at least twice, I’ll grant them that much. But, it’s clear that Java 7 has some very serious issues – there have been quite a few JRE7 issues lately that didn’t require fixes to previous versions. One would think that would force a reconsideration of Java 6’s EOL status for the sake of Oracle’s own brand image, but I suppose one would be wrong.

        My enterprise is locked into JRE6 and the IE plugin due to some unfortunate legacy systems that have not been funded for upgrades. We are in the process of purchasing Oracle Java SE Support at approx $6 USD per named user per year.

        We’re also considering metering and blacklisting the JRE executables for all users who do not register a critical business use case for the software. That will have a significant internal cost, but what else can you do?

    1. mechBgon

      From FireEye’s writeup, I see this particular payload plants a DLL file in the user’s profile folder to run a service on. I’d expect a disallowed-by-default Software Restriction Policy to arbitrarily block that, since it can be (and should be) applied to DLLs along with other potentially-malicious filetypes.

      So for those security pros who are stuck behind the Java 8-ball especially, you might consider SRP, which is effectively a built-in Windows whitelisting feature. The NSA has a writeup on SRP for application whitelisting at http://www.nsa.gov/ia/_files/os/win2k/Application_Whitelisting_Using_SRP.pdf. I have my own SRP-fanboy page at mechbgon.com/srp as well.

      I wonder who the targets of this latest campaign actually were, and what the attackers are after.

  2. Christopher

    This is why my company maintains and touts a “negative-day defense” security posture by tracking the malnets themselves.

    By understanding and watching the delivery and command/control networks being used by the ne’er-do-wells, we flag their networks as suspicious/malicious/botnet and allow our customers to block all traffic to/from those categories. As such, they’re protected from such threats before vulnerabilities are found or exploited…even “zero-day” exploits.

    Full Disclosure: (obvious) I work for a network security company.

    1. Richard Steven Hack

      And your company is watching EVERYBODY?

      Including the NEW guys on the block?

      AND all the new IP registrations?

      Right…

      And this costs what?

      Not to be insulting but your company would have to go a long way to convince me of the cost-benefit utility of this in most corporations if those corporations were my clients.

  3. Barry Shteiman

    What is interesting to see as a trend is the somewhat change in Hackers reversing protocols and platforms for vulnerabilities that are usually platform dependent, and relying more and more on overarching architectures such as Java and Flash etc, which are platform agnostic.

    This creates an interesting threat landscape that has the multiplatform effect. It is very common to mistake reports that say that Microsoft platforms or others are now less vulnerable than in the past. I believe that its just a matter of Hackers changing focus.

    Taking a deep look into industrialized hacking, it fits the model well – “spread out, tech down, move fast”.

  4. M'sGranny

    My Hacker is asking me to verify my Full Leagal name, and a GOVt issued ID scan copies log in to my face book. I gave them my phone# 301-693-2752 no text wre sent to my phone. Now asking my GOV’t issued id scaned and sent to them.. This is exactly how my old face book account was hacked and carried over by this phone hacker/ ip bloker/ ip hacker/ email hacker…
    from Burke,VA ip.. woner of 4857 Muddler way, Chantilly, VA .. name ” Mohammed A. Rahman”, currently reside in North carolina with his wife Naureen Farzana Rahman…

    Who is this man? What does he wants from me? He and his wife shold be living AMERICA long time ago!!!!

Comments are closed.