Cyberthreat researchers unmask Java-based attacks

java-based attacks

Enterprises can guard against Java-based attacks by using the latest versions of the platform. Credit: Miha Perosa

An increasing number of hackers are using Java-based attacks to spread malware, leaving enterprises vulnerable when outdated versions remain installed.

“We see a substantial number of detections for java-based exploits and that was over the past three months,” Alex Dubrovsky, director of software engineering & threat research at Dell SonicWALL, said during a presentation last month. “The largest number of exploit attempts is by far happening in the United States.”

Other highly targeted countries include Canada, France, Germany, Korea, India and the United Kingdom, Dubrovsky said. Cybercrooks are using Java-based attacks to install fake antivirus software to wreak havoc or even to seize control over entire machines. More than 3 billion devices run Java, he said.

How Java-based attacks work

Dubrovsky dedicated a large portion of his latest threat-research presentation to Java-based attacks, breaking down step by step how they work and hide within the HTML coding of seemingly innocuous websites. Here’s how the infections work:

  • A user visits a malicious webpage.
  • HTML injected with a malicious and hidden IFrame downloads malicious JavaScript code, which is usually obfuscated.
  • The JavaScript determines which version of Java is installed on a system and downloads an applet based on that version’s vulnerability.
  • The applet downloads a malicious executable, which releases the infection.

Launching a Java-based attack is apparently fairly easy and relatively inexpensive. Within the digital attack space, crime-ware kits — which can be purchased for as little as $200 — often come supplied with Java-based exploits, the ZDNet Zero Day blog reported in March.

Spammers spread infection

To trick people into visiting a malicious webpage, cybercriminals often exploit insatiable appetites for breaking news by sending links in an email message with enticing headlines in the subject line.

Security experts told SecurityWatch in April about spammers circulating malicious emails masquerading as news updates about the Boston Marathon bombing less than 24 hours after the attack. Email isn’t the only attack vector, as German security specialist Avira also found posts on Facebook with links to various websites that appeared malicious.

“This social engineering technique is not new. We see this every time there is something happening in the world (war, natural catastrophe, social events) that is potentially interesting for a lot of people,” Sorin Mustaca, IT security expert at Avira, told SecurityWatch.

Security tips for enterprises

The prevalence of Java-based attacks speaks to the importance of running the most updated version and uninstalling older versions. A recent report by security firm Bit9 found that 82 percent of enterprises are running the most vulnerable version of Java, version 6, on PCs and servers, and that the average enterprise is running 50 different versions.

Bit9 urges enterprises to evaluate whether Java is necessary and, if choosing to remove it, should conduct a software audit to confirm eradication. Administrators should also regularly look for unexpected installations of Java.

Nick Clunn
Nick Clunn is a journalist covering the tech beat and an adjunct professor at Montclair State University. He lives in New Jersey, where he had worked as a staff writer for several leading daily newspapers and websites.
Nick Clunn
Nick Clunn
Tags: IT Security,Technology