Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9.
The discovery of the Java zero-day is being co-credited to FireEye and CyberESI, two companies that specialize in tracking cyber espionage attacks. In its writeup, FireEye said multiple customers had been attacked using a newly-found flaw in the latest versions of Java — Java 6 Update 41, and Java 7 Update 15.
FireEye said the Java exploit used in this attack downloaded a remote access Trojan called McRat. This threat, also known as HiKit and Mdmbot.F, calls home to a malicious control server at the Internet address 22.214.171.124. Turns out, this is the same malware and control server that was used in the attack on Bit9, according to details that Bit9 released in a blog post this week documenting a sophisticated attack that resulted in a breach of its own systems last year.
Alex Lanstein, a senior security researcher at FireEye, said it’s unlikely in this case that multiple attack groups are using the same infrastructure and malware.
“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein said.