Java is a difficult beast that is causing a lot of
concern in the CTO, CIO and CSO offices. Mitigating Java risk, including
disabling Java, is easier said than done in today's business world.
Java is embedded into critical business applications, which enable
organizations to stay competitive. Unfortunately, Java zero-days and
vulnerabilities allow bad guys to constantly pwn computers, and
patch management, while often touted as a solution, simply isn't
working. This is precisely why over the past few months the we
researched and documented the gravity of the Java security risk.
- 93 per cent of enterprises were vulnerable to known Java exploits
- Nearly 50 per cent of enterprise traffic is using a version of Java more than two years out of date
- In monitoring patch progress, we discovered that within months of a critical Java release, only 7 per cent of enterprises had adopted the latest version of Java
- 83.86 per cent of enterprise browsers have Java enabled to deliver Java-based content
Java Exploits and Zero Days Popular in Crime Kits
Take a look at the control panel for any crime kit and you'll see that Java exploits are one of the most successful gateways into an organization to infect machines and steal sensitive data. However, the challenge for most businesses isn't the initial discovery of Java vulnerabilities, but the integration of zero-days into exploit kits.
Cybercriminals can rent a hosted exploit kit with zero-days already in it, for as little as $200 a week. Fast integration of zero-day vulnerabilities provides attackers with an unlimited capacity to reconstruct exploits that bypass traditional signature methods like antivirus, firewalls and other controls. Exploit kits have taken a complex and costly process and reduced the effort, expertise and cost previously required to take advantage of vulnerabilities. The barrier to entry for cybercriminals is now incredibly low. Well-made kits do almost all the work for you, right down to hosting the binary, if you choose.
The results of our research indicate that the patch management process is woefully slow. Patch management can be a complicated process for an organization, especially those with remote workers. This is exactly why real-time security models are absolutely essential. Patch management (even the best) and antivirus simply cannot keep up with the ongoing barrage of zero-days and exploits created to take advantage of the next generations of attacks.
How Java Exploits are Used in the Seven Stages of Advanced Threats
When you take the approach of looking at the entire attack chain for suspicious behavior, rather than waiting and hoping to catch something on the last step of the process, you have many more opportunities to spot and disrupt an attack - even if it's malware you've never seen before. Here is a recent example:
This year, cybercriminals sought to take advantage of the horrific attacks at the Boston Marathon to infect computers using the RedKit Exploit Kit. Let's take a look at this campaign, to understand how Java exploits are used in the Seven Stages of Advanced Threats.
Stage 1: Reconnaissance
Like many other campaigns, in this example, the cybercriminals are opportunists looking to monitor news and breaking events for a chance to launch a successful attack. The bombings at the Boston Marathon provided the opportunity for this specific campaign.
Stage 2: Lures
The bad actors then generated a spam email campaign with sensational headlines to exploit human interest in learning more about the situation, including:
- 2 Explosions at Boston Marathon
- Aftermath to explosion at Boston Marathon
- Boston Explosion Caught on Video
- BREAKING - Boston Marathon Explosion
- Runner captures. Marathon Explosion
- Video of Explosion at the Boston Marathon
Once the link is clicked, the victim is brought to a page with video coverage of the breaking event. Unbeknownst to them, a hidden iframe redirects them to an exploit page, in this case:
- http:///news.html
- http:///boston.html
The RedKit Exploit Kit used in this attack scans for applicable vulnerabilities and in this occurrence, exploits an Oracle Java 7 Security Manager bypass vulnerability (CVE-2013-0422) in order to deliver a file to the visitors computer.
Stage 5: Dropper Files
This particular campaign used a non-standard dropper file, a downloader in the Win32/Waledac family to install two bots: Win32/Kelihos and Troj/Zbot.
Stage 6: Call Home
From here, the machine notifies the bot herder and validates communications.
Stage 7: Data Theft
In what can be the most dangerous stage for businesses, the machine is now set for long term data interception on the endpoint or device, passing through the device or accessible by the device. This also can change the endpoint into a new platform for new attacks like the sending of unsolicited email or the unwilling participation in distributed denial of service (DDoS) attacks.
By looking at the entire threat chain, CSOs have multiple opportunities to spot risks and stop them before data is compromised. This approach is much more effective at spotting and stopping attacks rather than simply trying to spot an unknown object. With multiple analytics looking at every link in the threat chain, even zero-day attacks can be stopped.
Today's businesses need these layers of analytics, with each layer making it much more difficult for the bad guys to penetrate your networks and steal your data, minimizing the risk that Java presents to the enterprise.
src: http://www.abc.net.au/technology/articles/2013/11/27/3900108.htm
ABC Technology and Games 27 Nov 2013