Drive-by espionage attacks target Java, Flash flaws

Summary:Hackers are using vulnerabilities in Oracle Java and Adobe Flash to carry out drive-by attacks on visitors to foreign policy, defence, and humanitarian websites, according to security volunteer organisation the Shadowserver Foundation.Drive-by exploits, in which a user visits a website and then is sent to further sites to upload malware, are being used to target users with defence, foreign policy, and humanitarian interests, the Foundation said.

Hackers are using vulnerabilities in Oracle Java and Adobe Flash to carry out drive-by attacks on visitors to foreign policy, defence, and humanitarian websites, according to security volunteer organisation the Shadowserver Foundation.

Drive-by exploits, in which a user visits a website and then is sent to further sites to upload malware, are being used to target users with defence, foreign policy, and humanitarian interests, the Foundation said.

Over the past two weeks, exploits that have been "heavily used" by attackers target a flaw in Oracle Java Runtime Environment (CVE-2012-0507), and an object confusion vulnerability in Adobe Flash, (CVE-2012-0779), Shadowserver security experts Steven Adair and Ned Moran said in a blog post on Tuesday. The Adobe flaw was patched in May, and the Oracle hole in February.

"Right now, as you read this, there are a few recent exploits that are being heavily used by attackers engaged in cyber-espionage to take a foothold onto various networks," Adair and Moran said.

Amnesty International Hong Kong's Chinese-language site is serving Flash exploit code. The attack does not appear to be linked to an attack on the Amnesty International UK site last week, but may be linked to an attack on the UK site last year, according to the researchers.

There are a few recent exploits that are being heavily used by attackers engaged in cyber-espionage to take a foothold onto various networks.

– Shadowserver Foundation

The US Center for Defense Information (CDI) has been compromised "multiple times in the last few weeks," and is serving a Flash exploit, said Adair and Moran.

"The CDI website is currently serving up a malicious Flash exploit that ties back [to] attackers known to engage in cyber-espionage," said the researchers. "This threat group appears to be interested in targets with a tie to foreign policy and defence activities."

In general, and in the CDI attack, the compromise of a victim's computer is split over a number of different websites hosted on servers located in different countries. Once visiting the compromised site, the victim computer is directed to each website in turn to download various components of the Poison Ivy remote access Trojan (RAT).

The Israeli International Institute for Counter-Terrorism site is housing a Java exploit, and the Cambodian Ministry of Foreign Affairs site is serving a malicious Flash exploit that ultimately leads to the Poison Ivy RAT being installed via the compromised US Auto Association website.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.