Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Java Zero-Day Exploited by Pawn Storm Attackers

Oracle has patched a Java zero-day exploited by the Russia-linked advanced persistent threat (APT) group known as “Pawn Storm” in attacks aimed at NATO member countries and the White House.

Oracle has patched a Java zero-day exploited by the Russia-linked advanced persistent threat (APT) group known as “Pawn Storm” in attacks aimed at NATO member countries and the White House.

The vulnerability, reported to Oracle by Trend Micro, was used earlier this year in conjunction with a different Java zero-day by the Pawn Storm attackers. The threat group leveraged a remote code execution vulnerability in Java (CVE-2015-2590), which Oracle patched with the July 2015 Critical Patch Update (CPU), and a different Java weakness (CVE-2015-4902), which Oracle addressed on Tuesday with the October 2015 CPU.

The attackers used the flaw identified as CVE-2015-4902 to bypass the click-to-play protection in Java.

In recent years, several steps have been taken to prevent the exploitation of Java vulnerabilities: Oracle started releasing updates more often, browser vendors blocked outdated Java versions, rules have been tightened for the execution on self-signed and unsigned applets, and a click-to-play protection was introduced for all applets.

In attacks aimed at NATO members and the White House, the Pawn Storm threat group leveraged both CVE-2015-2590 and CVE-2015-4902. The first issue was detailed by Trend Micro in July, shortly after the attacks were spotted, and now that Oracle has resolved the click-to-play bypass flaw, the security firm disclosed its details as well.

The click-to-play bypass vulnerability allowed attackers to execute malicious Java code without any alerts being shown to the victim.

“If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out,” Trend Micro threats analyst Jack Tang explained in a blog post. “This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features. This is to ensure that existing ‘good’ features and security are not lost in the mix.”

The Pawn Storm cyber espionage group (also known as Sednit, APT28, Fancy Bear, Sofacy and Tsar Team) has been around since at least 2007, focusing its operations on government, military, media, and defense organizations from across the world.

Advertisement. Scroll to continue reading.

Pawn Storm has used at least half a dozen zero-day vulnerabilities in the last year, including flaws affecting Java, Windows and Flash Player. Trend Micro reported last week that the group had leveraged an Adobe Flash Player zero-day (CVE-2015-7645) in attacks aimed at several Foreign Affairs Ministries. Adobe patched the weakness within a few days after its existence came to light.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.