Attackers Target Networks With Zero-Day Java Flaw

Security firms warned business users and consumers to remove Java if possible, after one company identified an attack against its customers using a previously unknown vulnerability in Java.

On 24 August, threat-protection firm FireEye stopped an attack targeting the flaw and over the weekend confirmed that the security issue was previously undiscovered. The attack exploited the vulnerability in the latest version of the software platform, Java 7, and can execute on Windows, Mac OS X and Linux, said Atif Mushtaq, a senior staff scientist with FireEye.

Silent attack

FireEye and other security firms have discovered that the attack is quite silent.

“Unlike other exploits, which, when they run, crash your browser and give you a feeling that something is wrong, this attack really works silently,” Mushtaq said on 27 August. “Every big platform is really being targeted right now.”

Known for its cross platform functionality and tag line “write once, run everywhere”, the Java software platform has become a very popular target of cybercriminals with major exploit kits, such as Blackhole, including at least a handful of exploits to target Java vulnerabilities. The software’s widespread deployment, especially in enterprise environments and the necessity of keeping older, vulnerable versions around for backwards compatibility, give attackers an ideal environment to easily exploit targeted systems.

The failed attack, which led to the discovery of the vulnerability, attempted to install Poison Ivy, a well-known rootkit, but also one that has been used in some nation-state-related attacks. The attack emanated from servers in China, but experts are quick to point out that cyber-criminals utilise compromised servers in other countries to mislead investigators.

Mushtaq and other security researchers worried that Oracle, which took over the development of Java when it purchased Sun Microsystems, will delay releasing a patch until its regularly scheduled patch day on 16 October.

“Oracle almost never issues out-of-cycle patches but hopefully they will… consider it serious enough to do it this time,” Mila Parkour, co-founder of DeepEnd Research, stated in a blog post on 27 August.

Speed is critical

Speed is critical, because the exploit has already started appearing in many of the tools used by attackers and offensive security experts, such as penetration testers. The Metasploit Project, which manages the development of the project of the same name, released on 26 August a module to exploit the vulnerability on all major platforms and browsers.

A beta version of the Blackhole exploit kit – a popular way for cybercriminals to compromise computers and manage the resulting botnets – has also included a version of the Metasploit attack.

After information on the attack came out, other security providers found signs of the attacks as well. Open-source security management provider AlienVault published details on 27 August of an attack similar to the one reported by FireEye. It also confirmed the link to the Poison Ivy rootkit.

“A module has just been published for Metasploit, so it is time to disable Java in all your systems,” the company stated. “And remember to search your logs for connections to the Domains/IPs related to this attack.”

How much do you know about technology for those with disabilities, and the people who use and develop it? Take our quiz.