Digital certificate stolen to Bit9 used to sign Java exploit

By Pierluigi Paganini, Editor-in-Chief

According security experts the numerous cyber attacks that hit principal IT companies, news agencies and government offices exploited zero-day vulnerabilities in Java software to the point that many recommend to uninstall Java plug-in from our browser unless absolutely necessary.

Same clamor had obtained in the past the discovery that malware source codes were signed with stolen digital certificates to elude victims defense systems and infect their machines.

These time the two events have concurred for the success of the recent attacks, malware used in a zero-day Java exploit was signed with certificates stolen from a Bit9 security firm that was hit itself by a cyber attack.

The is no peace for Java software, the malicious code targeted all early version of the popular software such as Java 6 Update 41 and Java 7 Update 15 released a couple of weeks ago.

The shocking revelation has been made by researchers at security firms FireEye and CyberESI that discovered the attack known as CVE-2013-1493 able to compromise both above editions of Java.

The researchers discovered that the malicious code used for the exploits is the same found in the recently attacks at security firm Bit9, according FireEye the exploit downloaded the McRat, a remote access trojan. Security analysts observed also that once infected the victims, the malware contacted C&C server with IP address 110.173.55.187, exactly the same server used in the attack against Bit9 and described by same security firm in a blog post.

“It contains one (1) export: “DllRegisterServer”. When this function is called, the malicious DLL beacons to IP address “110.173.55.187” over port 80.”

The following information was found about the “110.0.0.0-110.255.255.255” net range:

  • OrgName Asia Pacific Network Information Centre

Krebsonsecurity.com blog published the following eloquent declaration released by Alex Lanstein, a senior security researcher at FireEye:

 “Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,”.

Security researchers at Symantec have proved the links between the malware (dubbed by Symantec as “Naid”) and the attacks against Bit9 firm, in July 2012, attackers stole certificates from Bit9 to sign malicious code.

The attack according Symantec is a watering hole attack that infects users while visiting a compromised web site, obviously hackers target web sites attractive for the victims.  The recent attacks against AppleFacebook and Microsoft exploited zero day flaw the Java browser plugin while victims visited particular site.

The Symantec post states:

“As seen in figure 1, the initial stage of the attack involves a target visiting a compromised site that hosts a malicious JAR file, detected by Symantec as Trojan.Maljava.B. The JAR file contains the exploit CVE-2013-1493 which, if successful, downloads a file called svchost.jpg that is actually an MZ executable, detected by Symantec as Trojan.Dropper. This executable then acts as a loader for the dropped appmgmt.dll file, detected as Trojan.Naid”. 

symtec

Security experts suggest to disable Java in user’s browser in not necessary, anyway to disable it until a patch has been released by Oracle, but we cannot ignore that is not sure that Oracle will issue an update for retired version of Java software such as Java 6.

We just have to wait for Oracle java software updates!

(Sources: CDM and Symantec)

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW