Russian hackers exploit unusual Java zero-day to hit unnamed NATO country

Cyber-espionage group 'Pawn Storm' has been exploiting an unusual Java zero-day vulnerability to carry out drive-by-download attacks on a NATO country and US defence company, according to Trend Micro.

NATO members to get cyber war protection
NATO members to get cyber war protection

The anti-virus and threat intelligence vendor reported on Sunday that it had noticed Pawn Storm's return, after spotting a series of spear-phishing emails containing links to an exploit kit. This, researchers said, marked a slight change in tactic from the group's attacks against the White House and other NATO members in April, when the URLs sent in spear-phishing emails did not host the exploit kits.

On this occasion, the hacking group – which is believed to have close links to the Kremlin - leveraged a new and unpatched vulnerability on Oracle's Java, the first to be spotted in the wild since 2013.

The exploit affects the latest version of Java - Java 8, Update 45 (or 1.8.0.45) - which was released in April. However, more surprisingly, it doesn't affect older Java 7 and 6 versions, despite these versions no longer receiving public security patches from Oracle.

Pawn Storm, which is also known as APT28, has targeted nation-state organisations and governments since 2007, typically using political events and meetings to lure victims in its targeted spear phishing emails. For example, it previously sent out emails inviting senior figures to the Asia-Pacific Economic Cooperation (APEC) Forum and Middle East Homeland Security Summit, but with the aim of infecting the user when they opened the email and clicked on the link.

In this latest attack, the malware would execute arbitrary code on the default Java settings once exploited, thereby compromising the security of the system.

Trend Micro researchers have reported the vulnerability to Oracle, and the software giant is now working with the security company to address it. Trend detects the exploit code as ‘JAVA_DLOADR.EFD', with the file ‘TROJ_DROPPR.CXC' dropping the payload ‘TSPY FAKEMS.C' to the login user folder.

“Until a patch is available, we recommend disabling Java…We will continue to monitor this situation and provide updates when we have them,” said Trend Micro in a blog post.

Symantec was also aware of the zero-day vulnerability, adding that the vulnerability is ‘critical' as Java is a widely-used platform.

Pawn Storm has repeatedly been linked with the Russian government and has tended to focus on the defence industry, military, government organisations and media firms, using the Sednit malware to steal sensitive information from victims.

In recent months, it is believed to have been active in attacks against Ukrainian activists, as well as – more controversially – in the attack against French TV station TV5Monde.

Kevin Epstein, VP of advanced security and governance at Proofpoint, said in an email toSCMagazineUK.com: “Adversaries continue to use spear-phishing to initiate attacks because it works; as Proofpoint's Human Factor research has shown, eventually every target clicks.  Organisations relying on legacy secure email gateway-only protection will be compromised – hence the move by best-in-breed defenders to adopt more modern protection in the form of incremental targeted attack protection and threat response systems.”

Bhavuk Arora, senior cyber-security specialist at consultancy Capgemini, added in an email to SC that this is proof of the importance of patch management.

“This is a good example of how the lack of a good patching policy can come back to haunt an organisation. Patching is still often looked upon more as a compliance exercise than a necessary activity to support an organisation's business processes. Turning off Java is just not a practical solution for many businesses. Effective patching is a basic security pre-requisite.”

James Maude, security engineer at Avecto, further added that this week's news on zero-days in Flash and now Java would “cause a great deal of concern” to firms reliant on patching and anti-virus to safeguard their endpoints.

"This attack demonstrates a certain cruel irony by only being able to compromise those running the latest and supposedly most secure version of Java. This really shows how the mind-set of organisations should never be that a system is secured but part of an on-going process of improvement. Security is a continuous journey not a destination based on the latest version number or update.”

Maude added that Avecto's own research had shown that most of the time attackers were exploiting CVEs published over a year ago. “When it comes to zero days patch management, updates and AV updates all suffer the same flaw, they are reacting after the event has happened. Traditional defence strategies can no longer be relied upon to safeguard the endpoint, they need to be supported by more advanced proactive measures that provide layers of security to keep organisations protected between patches.”

He continued: "It is worth pointing out that the issue Trend Micro is highlighting appears to be related to browser based Java applets, so before sysadmins start burning the entire Java installation they should look at simply disabling the browser plugin for a quick win.”