Java is a difficult beast that is causing a lot of
concern in the CTO, CIO and CSO offices. Mitigating Java risk, including
disabling Java, is easier said than done in today's business world.
Java is embedded into critical business applications, which enable
organizations to stay competitive. Unfortunately, Java zero-days and
vulnerabilities allow bad guys to constantly pwn computers, and
patch management, while often touted as a solution, simply isn't
working. This is precisely why over the past few months the we
researched and documented the gravity of the Java security risk.
Our
initial research reviewed
real-time telemetry collected from our ThreatSeeker Intelligence Cloud
to determine which versions of Java are actively used across tens of
millions of endpoints. The results of our research were frightening to
say the least:
- 93 per cent of enterprises were vulnerable to known Java exploits
- Nearly 50 per cent of enterprise traffic is using a version of Java more than two years out of date
- In monitoring patch progress, we discovered that within months of a critical Java release, only 7 per cent of enterprises had adopted the latest version of Java
- 83.86 per cent of enterprise browsers have Java enabled to deliver Java-based content
Nearly 40 per cent of users are not currently using the most
up-to-date versions of Flash. So, if roughly 10 per cent of enterprises
or less are proactively managing known critical Java vulnerabilities
through patch management and version control, what security measures are
the other 93 per cent relying on to protect their systems from
compromise and data theft?
Java Exploits and Zero Days Popular in Crime Kits
Take a look at the control panel for any crime kit and you'll see
that Java exploits are one of the most successful gateways into an
organization to infect machines and steal sensitive data. However, the
challenge for most businesses isn't the initial discovery of Java
vulnerabilities, but the integration of zero-days into exploit kits.
Cybercriminals can rent a hosted exploit kit with zero-days already
in it, for as little as $200 a week. Fast integration of zero-day
vulnerabilities provides attackers with an unlimited capacity to
reconstruct exploits that bypass traditional signature methods like
antivirus, firewalls and other controls. Exploit kits have taken a
complex and costly process and reduced the effort, expertise and cost
previously required to take advantage of vulnerabilities. The barrier to
entry for cybercriminals is now incredibly low. Well-made kits do
almost all the work for you, right down to hosting the binary, if you
choose.
The results of our research indicate that the patch management
process is woefully slow. Patch management can be a complicated process
for an organization, especially those with remote workers. This is
exactly why real-time security models are absolutely essential. Patch
management (even the best) and antivirus simply cannot keep up with the
ongoing barrage of zero-days and exploits created to take advantage of
the next generations of attacks.
How Java Exploits are Used in the Seven Stages of Advanced Threats
When you take the approach of looking at the entire attack chain for
suspicious behavior, rather than waiting and hoping to catch something
on the last step of the process, you have many more opportunities to
spot and disrupt an attack - even if it's malware you've never seen
before. Here is a recent example:
This year, cybercriminals sought to take advantage of the horrific
attacks at the Boston Marathon to infect computers using the RedKit
Exploit Kit. Let's take a look at this campaign, to understand how Java
exploits are used in the Seven Stages of Advanced Threats.
Stage 1: Reconnaissance
Like many other campaigns, in this example, the cybercriminals are
opportunists looking to monitor news and breaking events for a chance to
launch a successful attack. The bombings at the Boston Marathon
provided the opportunity for this specific campaign.
Stage 2: Lures
The bad actors then generated a spam email campaign with sensational
headlines to exploit human interest in learning more about the
situation, including:
- 2 Explosions at Boston Marathon
- Aftermath to explosion at Boston Marathon
- Boston Explosion Caught on Video
- BREAKING - Boston Marathon Explosion
- Runner captures. Marathon Explosion
- Video of Explosion at the Boston Marathon
Stage 3: Redirects
Once the link is clicked, the victim is brought to a page with video
coverage of the breaking event. Unbeknownst to them, a hidden iframe
redirects them to an exploit page, in this case:
- http:///news.html
- http:///boston.html
Stage 4: Exploit Kits
The RedKit Exploit Kit used in this attack scans for applicable
vulnerabilities and in this occurrence, exploits an Oracle Java 7
Security Manager bypass vulnerability (CVE-2013-0422) in order to
deliver a file to the visitors computer.
Stage 5: Dropper Files
This particular campaign used a non-standard dropper file, a
downloader in the Win32/Waledac family to install two bots:
Win32/Kelihos and Troj/Zbot.
Stage 6: Call Home
From here, the machine notifies the bot herder and validates communications.
Stage 7: Data Theft
In what can be the most dangerous stage for businesses, the machine
is now set for long term data interception on the endpoint or device,
passing through the device or accessible by the device. This also can
change the endpoint into a new platform for new attacks like the sending
of unsolicited email or the unwilling participation in distributed
denial of service (DDoS) attacks.
By looking at the entire threat chain, CSOs have multiple
opportunities to spot risks and stop them before data is compromised.
This approach is much more effective at spotting and stopping attacks
rather than simply trying to spot an unknown object. With multiple
analytics looking at every link in the threat chain, even zero-day
attacks can be stopped.
Today's businesses need these layers of analytics, with each layer
making it much more difficult for the bad guys to penetrate your
networks and steal your data, minimizing the risk that Java presents to
the enterprise.
src:
http://www.abc.net.au/technology/articles/2013/11/27/3900108.htm
By Gerry Tucker
ABC Technology and Games
27 Nov 2013
