Cyberespionage group exploits unpatched Java flaw
15 July 2015 | 0
A sophisticated group of hackers known for targeting military, government and media organisations is currently using an exploit for a vulnerability in Java that has not been patched by Oracle.
The zero-day exploit was recently observed by researchers from antivirus vendor Trend Micro in attacks against the armed forces of an unnamed NATO country and a US defence organisation. Those targets received spear-phishing emails that contained links to web pages hosting the exploit.
The cyberespionage group, known as APT28 and Pawn Storm, has been active since at least 2007. Some security vendors believe that it operates out of Russia and has ties to that country’s intelligence services.
The group has been targeting NATO members and governments in Europe, Asia and the Middle East, as well as defence contractors and media organisations. It typically sends rogue emails to its victims with malicious links to supposed articles about geopolitical events.
The newly found exploit affects the latest version of the Java runtime environment, Java 8 Update 45, which was released in April, said researchers from Trend Micro.
Surprisingly, the exploit does not affect the older Java 7 and Java 6 versions, which no longer receive public security patches from Oracle.
A couple of years ago Java was the most frequently attacked browser plug-in, which prompted Oracle to beef up security in Java 8.
This is the first Java zero-day exploit reported in nearly two years, the Trend Micro researchers said.
Although unrelated, the discovery of this exploit comes at a time when security researchers found three zero-day exploits for Flash Player in data leaked from a surveillance software maker called Hacking Team.
Disabling both Flash Player and Java is advisable until these vulnerabilities are patched, the Trend Micro researchers said in a separate blog post. “Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.”
“Flash and Java vulnerabilities are particularly well-suited for malvertising attacks, so we could possibly see these vulnerabilities incorporated into exploit kits that, in turn, are used to attack ad servers,” the researchers said.
In fact, two of the newly found Flash Player exploits have already been integrated into exploit kits that are used in malvertising attacks.
Lucian Constantin, IDG News Service