Just when you thought you were safe from the Java exploit: Beyond Apple device IDs being allegedly hacked from an FBI agent's laptop via last week's Java flaw, a security firm in Poland, Security Explorations, is saying a patch issued by Oracle still leaves the software insecure.
And Symantec, the SANS Institute's Internal Storm Center and Websense are sounding the alarm about new approaches being used for the Java exploit. Oracle could not immediately be reached for comment.
Nitro Attacks Revisited
In October 2011, Symantec documented a particular targeted attack campaign dubbed The Nitro Attacks. Attackers were primarily targeting chemical companies. Symantec said those attackers have escalated their efforts through a zero-day Java vulnerability in the wild.
"The traditional modus operandi of the Nitro attackers is to send an e-mail to victims," Symantec reports in its Security Response blog. "That e-mail contains an attachment, which is a password-protected self-extracting zip file. The e-mail claims to be an update for some piece of commonly installed software. The targeted user extracts it, runs it, and is infected with a copy of Backdoor.Darkmoon (also known as Poison Ivy)."
In these latest attacks, Symantec said, the attackers have developed a more sophisticated technique. They are using a Java zero-day, hosted as a .jar file on Web sites, to infect victims. Like the October 2011 attacks, Symantec said the attackers are using Backdoor.Darkmoon, re-using command-and-control infrastructure , and even re-using file names such as "Flash_update.exe".
"It is likely that the attackers are sending targeted users e-mails containing a link to the malicious jar file," the firm said. "The Nitro attackers appear to be continuing with their previous campaign."
Infamous Amazon E-Mail
Meanwhile, SANS and Websense are both pointing to a Java exploit that, if successful, could allow cyber criminals to deliver more malicious payloads to victims' machines. And that, Websense said, could lead to the exfiltration of personal and financial data . It comes in the form of an e-mail supposedly from Amazon that directs victims to a page containing the recent Java exploit.
"On 1st September, Websense ThreatSeeker Network intercepted over 10,000 malicious e-mails with the subject 'You Order With Amazon.com' enticing the recipient to 'click here' to verify a fictitious order...." Websense wrote on its blog. (continued...)