Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Gong Da Exploit Kit Boosts Java Attack Power With Latest Exploits

The latest Java vulnerability has been integrated into both Black Hole and Gong Da exploit kits, making it easier for cyber-criminals to launch attacks exploiting the flaw, a security researcher said.

The latest Java vulnerability has been integrated into both Black Hole and Gong Da exploit kits, making it easier for cyber-criminals to launch attacks exploiting the flaw, a security researcher said.

JavaThe Gong Da exploit kit has been adding support for a number of Java vulnerabilities recently, and its latest iteration includes the remote code execution flaw in the Java Applet JAX Web services library, Eric Romang, a security researcher and founder of Zataz.com, wrote Sunday. The exploit, CVE-2012-5076, targets Java SE 7 Update 7 and earlier, and was patched by Oracle on Oct. 16 as part of Java SE 7 Update 9. However, Java 6 installations don’t have this vulnerability, regardless of whether the software is up-to-date or not, Jeong Wook (Matt) Oh, a researcher at Microsoft Malware Protection Center, wrote on the MMPC blog last week.

The Gong Da exploit kit also includes attacks for several other Java flaws, including CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (the zero-day discovered in August), CVE-2012-0507, CVE-2012-1723, and CVE-2012-1889 (Microsoft XML Core Services). Gong Da has changed its list of targeted vulnerabilities recently. Previous versions supported Adobe Flash Player (CVE-2011-2140) and Windows Media (CVE-2012-0003) bugs, but these exploits don’t appear in the latest version of the toolkit anymore, Romang said.

“Recently, we have seen more and more Java malware and malware distributors using new vulnerabilities quicker than ever before,” Oh wrote.

Gong Da is the third exploit kit to integrate CVE-2012-5076 into its repertoire, following Cool Exploit Kit and Black Hole, Romang said.

Websites created using the Gong Da kit, which means “attack” in Chinese, chains several exploits together as part of its attack pattern. Most of the malware samples that actually exploit CVE-2012-5076 are bundled with other Java exploits to increase their attack coverage, Oh said. For example, attacks exploiting CVE-2012-5076 may be included in malware along with attacks for CVE-2012-1723, which can be used on both unpatched Java 6 and 7, Oh said.

Depending on the specific version of Java SE installed on the victim computer, Gong Da served up different .jpg image or .html files exploiting specific Java vulnerabilities, according to the control flow diagram on Romang’s post.

Romang came across the latest Gong Da exploit on a site whose domain was registered on Nov. 17. The index.html file on the site contains JavaScript obfuscated by the “JSXX VIP JS Obfuscator” tool and is difficult to detect, he said. Only eight out of 44 antivirus detectors on VirusTotal flagged the initial file as malicious, Romang said in his post three days ago. That number appears unchanged as of this writing.

As for the JAX-WS flaw, existing malware abuses the “package access problem” in the Java Runtime Environment, Microsoft’s Oh wrote. Package access is important because if trusted code is exposed to the user, it can be abused to break the Java security model, Oh said. For example, untrusted Java applets should not be able to access Oracle packages, such as Glassfish’s gmbal.

Advertisement. Scroll to continue reading.

“Packages usually contain critical operations that should not be performed from untrusted code like unsigned Java applets,” Oh said.

Unsigned Java applets run inside a sandbox environment which is designed to restrict access to system resources like file and process operations. Malicious code with access to packages can create the user’s own class on the fly with escalated privileges, Oh wrote.

“From what we have seen in the last few months, we expect to see more and more exploits abusing this vulnerability,” Oh said. “So, users should be prepared for this threat.”

UpdateChinese Gang Targeting Defense Firms With IE Zero-Day

UpdateCoordinated Cyber Attacks Hit Chemical and Defense Firms

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...