Chris Astacio

Websense Security Labs™ is following reports that a new Java zero day vulnerability (CVE-2013-0422) is being exploited in the wild by exploit kits. Early this morning, a researcher who goes by the handle Kafeine disclosed that he has started seeing exploits of a new Java vulnerability appearing in multiple exploit kits in the wild. Following up on his post, we have confirmed that we are protecting against the landing pages of these exploit kits with Websense ACE (Advanced Classification Engine) technology.  The landing page is the first thing that loads in an exploit-kit-based attack. It’s used to scan clients for vulnerabilities and send the appropriate exploits. This is one of the seven stages of an attack that you can read about here. The kits identified as using this zero day code so far are Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack.

Snippet of POC code:

The fact that exploits of this vulnerability were found in the wild and in exploit kits is huge. It’s common knowledge that exploit kit developers don’t typically write exploits on their own. In fact, exploit kit authors typically copy and paste code to include exploits in their packs. Since this exploit is already in exploit kits, it could spread very rapidly to other kit authors who are anxious to get a zero day in their code.  A zero day in exploit kits means a higher success rate for “loads” of malicious binaries, and therefore adds lots of value to the kit. Because this vulnerability is in Java, there’s also a possibility that it could be applied to client platforms like Mac OS and Linux, as well as Windows.

This makes two web-based vulnerabilities in the wild in less than a month. It’s a dangerous time to be on the web.  We strongly encourage that Java be removed from client computers. If that’s impossible due to proprietary applications, please use a separate browser with Java enabled for required applications only.  Your every day browser can handle web surfing just fine without Java enabled. As for the current IE zero day, there is a  “Fix It” solution available from Microsoft, however keep in mind that a fix it solution isn’t going to be as strong as a full patch solution.

Update:

Oracle has pushed out an update for the Java vulnerability which is available here.

Microsoft has also published a Out Of Band patch for CVE-2012-4792, which you can read more about here.

At Websense® Security Labs™, we get many questions from our customers and partners about attacks. We’re asked about the details of big attacks, obscure attacks, and, of course, targeted attacks. There has been quite a bit of noise around an attack being dubbed “project Blitzkrieg,” which is targeting banks. The attack is said to be the brainchild of a Russian hacker in an underground forum. This hacker has called upon others in the forum to aide in attacking banks by siphoning large amounts of money out of these banks using a special Trojan dubbed “Prinimalka.”

Security Labs uses Websense ACE (Advanced Classification Engine) to classify the Prinimalka malware family, and, thanks to the Websense ThreatSeeker® Network, is also monitoring its spread as part of “project Blitzkrieg.” So far, few instances of the Prinimalka infection are being seen. We’re a little skeptical that Blitzkrieg will live up to the current hype, because it’s pretty rare for a successful attack to be pre-announced months ahead of time. Although the broad class of targeted attacks like this continues to be a growing concern, it’s far more likely that this specific attack, if spread further, will take an altogether different form.