Java exploit used in Red October cyberespionage attacks, researchers say

Seculert researchers identified a Java exploit and corresponding attack pages on Red October command and control servers

The hundreds of government, military and research organizations targeted in a large-scale cyberespionage operation dubbed Red October were not only attacked using malicious Excel and Word documents as previously believed, but also by using Web-based Java exploits, according to researchers from Israeli IT security firm Seculert.

Researchers from antivirus vendors Kaspersky Lab published the results of their investigation into Red October on Monday. According to their report, the victims were targeted via rogue email messages that contained malicious documents designed to exploit known vulnerabilities in Microsoft Excel and Word.

Costin Raiu, director of Kaspersky's global research and analysis team, said Monday that other methods of distributing the cyberespionage malware might have been used, but hadn't been identified yet.

However, while analyzing the command and control servers used in the campaign, security researchers from Seculert discovered a special folder containing a malicious Java applet -- Web-based Java application -- designed to exploit a Java vulnerability patched in October 2011.

The exploit found on the server was compiled in Feb. 2012, which reinforces the belief that these attackers preferred to target older, known vulnerabilities, not zero-day -- previously unknown -- ones, the Seculert researchers said Tuesday in a blog post.

The discovery was made possible because at some point the attackers switched from using PHP as the server-side scripting language on their command and control servers to CGI. Some older PHP-based attack pages were still left on the servers and accessing them in a browser revealed their source code, the Seculert researchers said.

Evidence suggests that the Web-based attack method continued to be used even after switching the infrastructure to CGI, Aviv Raff, Seculert's chief technology officer, said Tuesday. However, it's not clear if exploits for newer vulnerabilities in Java or other browser plug-ins have been used in the past few months, he said.

Further analysis is impossible at this time because the command and control servers have been shut down, most likely by the attackers in an attempt to cover their tracks, Raff said.

The attackers tricked individuals in the targeted organizations into visiting the attack pages by sending them rogue emails with links pointing to them, the Seculert researchers said. It's not clear what those emails said, because no copy has been recovered yet, but they probably had a news-based theme, Raff said.

The attack pages, the Java exploit itself and even the URL for the malware payload contained strings referencing "news," Raff said. In fact, after the attack page loaded the Java exploit, the victims' browsers were being redirected to legitimate news sites, including one based in Turkey, he said.

Interestingly enough, command and control servers used in the Flame cyberespionage campaign also contained a "NewsForYou" string, suggesting that a news theme was used in those attacks. It's not clear at this time if this is just a coincidence or if there's a connection between the two campaigns, Raff said.

Raff believes that Red October is the work of a group of hackers trying to obtain high-value information which they can later sell to interested parties, rather than the result of a nation state's cyberespionage efforts. Researchers from Kaspersky Lab, who first uncovered this cyberespionage operation, favor the same theory.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecuritySeculertExploits / vulnerabilitiesspywaremalwarekaspersky lab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place