A new Java-based zero-day vulnerability is reported to be in use by a sophisticated APT group.
Zero-day exploits, vulnerabilities unknown to software vendors and exploited in the wild, are a rare but lucrative find for cybercriminals. The rise in cybersecurity investment and bug bounties helps to reduce the number of zero-days which end up in the underground to be sold on, exploited and potentially place users at risk, but you cannot detect every flaw and occasionally they will still crop up.
The Java zero-day is reportedly being exploited through drive-by downloads on the latest version of Java, version 184.108.40.206. Trend Micro says older versions, Java 1.6 and 1.7 are not affected by this zero-day exploit.
Although no details have been released on delivery -- unsurprising, considering a patch is yet to be issued -- the exploit code, TROJ_DROPPR.CXC, drops a payload called TSPY_FAKEMS.C into the login user folder.
On Monday, Symantec said in a blog post that the antivirus vendor was researching reports that the zero-day vulnerability was active in the wild and being exploited. Symantec regards the vulnerability as "critical," considering the software is widely used by consumers internationally.
The security firm believes the cyberattackers behind the exploit are linked to the advanced persistent threat (APT) group Operation Pawn Storm, which has also been given names including APT28, Sednit, Fancy Bear, and Tsar Team.
In April this year, Trend Micro revealed the APT group -- known to target a wide range of entities including the military, government groups and the media -- started off 2015 with a bang by setting up new command-and-control (C&C) servers, malicious sites and spear phishing campaigns targeting NATO members and governments across Europe, Asia and the Middle East.
Oracle is working with Trend Micro to patch the problem. Until a fix is issued, users concerned about falling victim to the exploit should temporarily disable Java in their browser.
In related news, Adobe has promised to release a new security update this week to patch two new zero-day vulnerabilities within the Adobe Flash Player. The security flaws were discovered thanks to the Hacking Team breach, in which 400GB of corporate data, exploit source code and proof-of-concept vulnerabilities were released into the public domain.