Cyber-security experts yesterday demonstrated how the latest zero-day vulnerabilities in Java could be used in a cyber-attack.
Researchers from Context Information Security showed visitors how an attacker could develop and use a Java-based exploit against a major fictional corporate bank, before providing advice on how to protect a corporate environment without resorting to a blanket “uninstall Java” approach.
Earlier this month Context principal security consultant James Forshaw discovered a previously unknown exploit of Java, or zero-day exploit, at the 2013 Pwn2Own cyber-security competition at CanSecWest in Vancouver.
Penetration testing experts from the firm demonstrated how an attacker could use such an exploit to steal sensitive data from a major organisation, based on real-world experience from an assignment carried out by the team.
“In recent months we have seen an increase in large scale attacks on multinational corporations and government institutions using platform such as Java and .NET to circumvent browser based sandboxes and gain execution under the privileges of logged in users,” said Forshaw before the event.
“This demonstrates that many platforms which aim to secure malicious code can be difficult to fully avoid logical flaws and security teams need to be aware of the threats and take measures to mitigate the risks.”
By using a vulnerability in a Java reflection API, which has been the target of recent attacks, Forshaw was able to disable the Java sandbox and perform actions under the privileges of the logged in user, including reading and writing files and executing new programs.
And with Oracle boasting that three billion devices use Java Forshaw sees it as an obvious target for hackers.
“Three billion devices across the world. That’s a big attack surface,” he said at the event.
Using their experience from an attack carried out by Context at the behest of a major financial institution to test their defences – known as a “red teaming” exercise – Head of Research Mike Jordon demonstrated how an exploit such as Forshaw’s could be used to gain access to important client information.
“What we are trying to do is show how a real attacker like a state sponsored attacker would do the same sort of attack,” he said.
Jordon demonstrated how using tactics such as spear-phishing emails, a more directed version ofo phishing targeting individuals rather than sending blanket emails, creating a bogus Linked-In account and joining the company’s group, the team were able to get employees to open a bogus link that activated the exploit delivery system and gave them control of their machines.
The team even managed a more physical approach by delivering an envelope containing a USB stick carrying the exploit delivery system to the firm’s reception under the pretence that someone dropped it outside.
“We just need to get into one person’s workstation,” he said. “We can use that as a bridgehead to start to attack out from there.”
But despite demonstrating the ease with which hackers can gain access to firms’ senior security consultant Peter Barbour said it is not necessary for firm’s to take the drastic action of a blanket uninstall of Java.
Simply being aware of the vulnerability is a start as are steps such as disabling Java in browsers if it is only needed in desktop applications; limiting Java to white listed domains for applet support; and deploying Java Web Start from a local shortcut rather than a browser.
And by training staff on the dangers of phishing and remembering that sites such as LinkedIn, while useful, are not the intranet, the risks of infection can also be reduced.
“If they want to get in they will find a way to get in,” Context CEO Mark Raeburn said. “There are various measures you can put in place, but it’s a game of cat and mouse. There are no fixes.”
But by being aware of the dangers and the potential vectors of attack companies can detect breaches more swiftly and stem the problem before data is compromised.
“There is a lag,” he said. “The key is getting in during that lag and interfering with the processes before they get that data out.”