Advertisment

7 Advanced Data Thefts Based on Java Exploits

author-image
PCQ Bureau
New Update

Java is a difficult beast that is causing a lot of concern in the CTO, CIO and CSO offices. Mitigating Java risk, including disabling Java, is easier said than done in today's business world. Java is embedded into critical business applications, which enable organizations to stay competitive. Unfortunately, Java zero-days and vulnerabilities allow bad guys to constantly pawn computers, and patch management, while often touted as a solution, simply isn't working. Nearly 40 percent of users are not currently using the most up-to-date versions of Flash. So, if roughly 10 percent of enterprises or less are proactively managing known critical Java vulnerabilities through patch management and version control, what security measures are the other 93 percent relying on to protect their systems from compromise and data theft?

Advertisment

Java Exploits and Zero Days Popular in Crime Kits

Take a look at the control panel for any crime kit and you'll see that Java exploits are one of the most successful gateways into an organization to infect machines and steal sensitive data However, the challenge for most businesses isn't the initial discovery of Java vulnerabilities, but the integration of zero-days into exploit kits. Cybercriminals can rent a hosted exploit kit with zero-days already in it, for as little as $200 a week. Fast integration of zero-day vulnerabilities provides attackers with an unlimited capacity to reconstruct exploits that bypass traditional signature methods like antivirus, firewalls and other controls. Exploit kits have taken a complex and costly process and reduced the effort, expertise and cost previously required to take advantage of vulnerabilities. The barrier to entry for cybercriminals is now incredibly low. Well-made kits do almost all the work for you, right down to hosting the binary, if you choose. The results of our research indicate that the patch management process is woefully slow. Patch management can be a complicated process for an organization, especially those with remote workers. This is exactly why real-time security models are absolutely essential. Patch management (even the best) and antivirus simply cannot keep up with the ongoing barrage of zero-days and exploits created to take advantage of the next generations of attacks.

How Java Exploits are Used in the Seven Stages of Advanced Threats

When you take the approach of looking at the entire attack chain for suspicious behavior, rather than waiting and hoping to catch something on the last step of the process, you have many more opportunities to spot and disrupt an attack - even if it's malware you've never seen before. Here is a recent example.This year, cybercriminals sought to take advantage of the horrific attacks at the Boston Marathon to infect computers using the RedKit Exploit Kit. Let's take a look at this campaign, intercepted by the Websense Security Labs, to understand how Java exploits are used in the

Seven Stages of Advanced Threats.

Stage 1: Reconnaissance

Like many other campaigns, in this example, the cybercriminals are opportunists looking to monitor news and breaking events for a chance to launch a successful attack. The bombings at the Boston Marathon provided the opportunity for this specific campaign.

Stage 2: Lures

The bad actors then generated a spam email campaign with sensational headlines to exploit human interest in learning more about the situation, including:

- 2 Explosions at Boston Marathon

- Aftermath to explosion at Boston Marathon

- Boston Explosion Caught on Video

- BREAKING - Boston Marathon Explosion

- Runner captures. Marathon Explosion

- Video of Explosion at the Boston Marathon

Stage 3: Redirects

Once the link is clicked, the victim is brought to a page with video coverage of the breaking event. Unbeknownst to them, a hidden iframe redirects them to an exploit page, in this case:

- http:// < IP Address>/news.html

- http:// < IP Address>/boston.html

Stage 4: Exploit Kits

The RedKit Exploit Kit used in this attack scans for applicable vulnerabilities and in this occurrence, exploits an Oracle Java 7 Security Manager bypass vulnerability (CVE-2013-0422) in order to deliver a file to the visitors computer.

Stage 5: Dropper Files

This particular campaign used a non-standard dropper file, a downloader in the Win32/Waledac family to install two bots: Win32/Kelihos and Troj/Zbot.

Stage 6: Call Home

From here, the machine notifies the bot herder and validates communications.

Stage 7: Data Theft

In what can be the most dangerous stage for businesses, the machine is now set for long term data interception on the endpoint or device, passing through the device or accessible by the device. This also can change the endpoint into a new platform for new attacks like the sending of unsolicited email or the unwilling participation in distributed denial of service (DDoS) attacks.

By looking at the entire threat chain, CSOs have multiple opportunities to spot risks and stop them before data is compromised. This approach is much more effective at spotting and stopping attacks rather than simply trying to spot an unknown object. With multiple analytics looking at every link in the threat chain, even zero-day attacks can be stopped. Today's businesses need these layers of analytics, with each layer making it much more difficult for the bad guys to penetrate your networks and steal your data, minimizing the risk that Java presents to the enterprise.

Advertisment