The exploit targeting the latest zero-day vulnerability in the Java platform is dropping ransomware, and has been found in another exploit kit. Security experts, including U.S.-CERT last night, advise users and IT managers to disable Java on endpoints and browsers. Meanwhile, Polish security researcher Adam Gowdiak of Security Explorations, said the attacks target a pair of vulnerabilities, one of which was reported to Oracle in September and patched, apparently incompletely, in October.
“The 0-day attack code that was spotted in the wild is yet another instance of Java security vulnerabilities that stem from insecure implementation of Reflection API,” Gowdiak wrote to the Bugtraq mailing list. “The new attack is a combination of two vulnerabilities. The first flaw allows [Java] to load arbitrary (restricted) classes by the meansof findClass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. The second issue abuses the new Reflection API to successfully obtain and call MethodHandle objects that point to methods and constructors of restricted classes.”
HD Moore, creator of Metasploit and Rapid7 CSO, also pointed out the flaw was in the MBeanInstantiator in Java 1.7 Update 10. It is still unknown whether earlier versions are vulnerable to this attack.
“Similar to previous bugs, it enables you to run Java code outside the sandbox, so the thing about that is that it’s not dependent on OS or platform. It will run the same exact code on Mac OS X, Windows or Linux,” Moore told Threatpost yesterday. “The exploits going around are targeting Windows, but more than likely, we’ll see attacks for Mac like we did with the Flashback stuff last year.”
Researchers at security company FireEye said the malware payload is the Tobfy ransomware, which locks down a victim’s computer with an image purporting to be from the U.K.’s Police Central e-crime Unit. Like most ransomware, this one informs the victim that their IP address has been logged because they’d visited an illicit website and must pay a fine to unlock the machine. The victim is presented with two options for electronic payment, Ukash or Paysafecard, neither of which will unlock the machine or remove the malware.
In the meantime, the security researcher known as Kafeine who found the zero day in a number of exploit kits has added another to the list, the Sakura exploit kit.
All of this news comes days before Oracle is expected to ship a massive security patch update next Tuesday, 86 patches for a slew of Oracle products including Oracle Database, PeopleSoft, JD Edwards, Siebel CRM and MySQL Server. The company has been silent on a fix for the current Java vulnerability; its next Java SE security update release is schedule for Feb. 19, though the company may release an out-of-band fix at any time.
FireEye’s research said some of the exploit sites are hosted on a file-sharing website it did not identify. Those landing pages then redirect victims to different domains hosting exploits and malware. The ransomware also disables Windows Safe Mode, FireEye’s post said and terminates the task manager, msconfig and cmd.exe preventing the users from finding or disabling the malware. The post does note that the malware includes bad code in a callback thread that is supposed to notify the attacker if the ransom is paid. As with most ransomware, the victim is stuck with the malware even if they pay up.