Oracle has patched a Java zero-day exploited by the Russia-linked advanced persistent threat (APT) group known as “Pawn Storm” in attacks aimed at NATO member countries and the White House.
The vulnerability, reported to Oracle by Trend Micro, was used earlier this year in conjunction with a different Java zero-day by the Pawn Storm attackers. The threat group leveraged a remote code execution vulnerability in Java (CVE-2015-2590), which Oracle patched with the July 2015 Critical Patch Update (CPU), and a different Java weakness (CVE-2015-4902), which Oracle addressed on Tuesday with the October 2015 CPU.
The attackers used the flaw identified as CVE-2015-4902 to bypass the click-to-play protection in Java.
In recent years, several steps have been taken to prevent the exploitation of Java vulnerabilities: Oracle started releasing updates more often, browser vendors blocked outdated Java versions, rules have been tightened for the execution on self-signed and unsigned applets, and a click-to-play protection was introduced for all applets.
In attacks aimed at NATO members and the White House, the Pawn Storm threat group leveraged both CVE-2015-2590 and CVE-2015-4902. The first issue was detailed by Trend Micro in July, shortly after the attacks were spotted, and now that Oracle has resolved the click-to-play bypass flaw, the security firm disclosed its details as well.
The click-to-play bypass vulnerability allowed attackers to execute malicious Java code without any alerts being shown to the victim.
“If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out,” Trend Micro threats analyst Jack Tang explained in a blog post. “This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features. This is to ensure that existing ‘good’ features and security are not lost in the mix.”
The Pawn Storm cyber espionage group (also known as Sednit, APT28, Fancy Bear, Sofacy and Tsar Team) has been around since at least 2007, focusing its operations on government, military, media, and defense organizations from across the world.
Pawn Storm has used at least half a dozen zero-day vulnerabilities in the last year, including flaws affecting Java, Windows and Flash Player. Trend Micro reported last week that the group had leveraged an Adobe Flash Player zero-day (CVE-2015-7645) in attacks aimed at several Foreign Affairs Ministries. Adobe patched the weakness within a few days after its existence came to light.