Cyber spies exploiting Java, Flash flaws

Cyber spies have planted Java- and Flash-exploiting malware on Web sites focused on human rights, defense and foreign policy.

Over the last two weeks, the Shadowserver Foundation, a nonprofit group that tracks Internet threats, has discovered several such compromised Web sites that download the malware through visitors' browsers. The malware, which exploits known flaws in Adobe Flash and Java, is aimed at Mac and Windows systems.

Sites that were serving malware as of Monday were for the Center for Defense Information, a research group for U.S. national security; Amnesty International Hong Kong, the Cambodian Ministry of Foreign Affairs, and the International Institute of Counter-Terrorism at the Interdisciplinary Center in Herzliya, Israel, " target="_blank">Shadowserver said. Last week, security vendor Websense reported that the site of Amnesty International United Kingdom was serving Java-exploiting malware.

[See also: Thwarted by security at enterprises, cyber criminals target SMBs]

Such targeted attacks have become a major problem for corporations, particularly those within the defense industry or manufacturing. In its 2011 annual security report, network equipment maker Cisco found that cyber criminals were moving from large-scale attacks using spam to working for organizations that pay handsomely for electronic documents stolen from particular international corporations and law firms, government agencies and research organizations.

"It's a very prevalent attack right now," Liam O Murchu, manager of Symantec's Security Response Operations, said. "We've seen large increases in these types of attacks in the last year."

To protect themselves, Symantec advises companies to isolate the kind of data that would be a target in a cyber-espionage campaign, and then monitor it to see who is accessing it, how they are accessing it and whether there is unusual activity, such as the movement of large amounts of data.

In the latest attacks, the malware opens up a backdoor in infected systems, in order to receive commands from a control server located in a remote location. The server also receives stolen data. In the case of the Amnesty International sites, Shadowserver believes the hackers responsible for compromising the Hong Kong site were also involved in infecting the U.K. site.

The Flash-exploiting malicious code in the CDI site was traced to attackers known to engage in cyber-espionage, Shadowserver volunteers Steven Adair and Ned Moran said in its blog Tuesday. "This threat group appears to be interested in targets with a tie to foreign policy and defense activities."

In the last few weeks, Shadowserver has discovered other sites compromised by the same attackers. Those sites included the American Research Center in Egypt, the Institute for National Security Studies in Israel and the Centre for European Policy Studies. All the sites have since been cleaned of malware.

In recent months, Shadowserver has seen malware exploiting zero-day (meaning unpatched) vulnerabilities in cyber-espionage attacks. "Frequently by the time a patch is released for the vulnerabilities, the exploit has already been [in] the wild for multiple weeks or months -- giving the attackers a very large leg up," Adair and Moran said.

Adobe and Oracle, which manages Java, have issued patches for the holes in their respective products. Cyber-criminals often target known flaws, gambling that many people are on the Web with unpatched systems. Such an assumption is often correct. In general, up to 60 percent of Java installations are never updated to the latest version, " target="_blank">according to security vendor Rapid7.

The Java vulnerability in the latest attacks was the same exploited last month by hackers in infecting 600,000 Mac computers. Apple was criticized for not releasing a patch until six weeks after it was available for Windows systems.

The latest cyber espionage activity has the same goal as similar attacks, which is to steal data. Targets typically include e-mail communications, research and development documents, intellectual property and information on contracts and business negotiations. Such activity is often paid for or sanctioned by government agencies. International companies are also suspected of hiring hackers to spy on rivals.

"It is important to note that there is not a single monolithic group responsible for all of these attacks," Adair and Moran said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsAmnesty InternationalAppleCDICiscoetworkOracleRapid7SymantecWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts