The security community has been focused on the new Java zero-day exploits that appear to have been taken from a Chinese exploit pack (known as Gondad or KaiXin) used in targeted attacks by the “Nitro” cyber-espionage campaign and then incorporated into criminal operations using the BlackHole Exploit Kit. While the connections between these developments are starting to emerge, it is important to remember that campaigns, such as Nitro, don’t “come back” because they don’t go away. The Nitro attackers continued to be active after their activities were documented in 2011.
In fact, before they acquired this Java exploit, the Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012 (On a related note, another email was spotted in April 2012).
Trend Micro products detect and remove the exploits and Poison Ivy payload. Deep DiscoveryT also detects and blocks communication done by the Poison Ivy payload.
Oracle has released an out-of-bound patch for Java which patches this zero-day exploit. The update increments the version number to Version 7 Update 7 for users on the latest JRE version; users still using Java 6 are also receiving an update that will increment their version to Version 6 Update 35. Users should immediately update their systems to protect against this threat.
Update as of September 4, 11:10 AM PDT
Trend Micro Deep Security users should apply the rule 1005178 – Java Applet Remote Code Execution Vulnerability – 2 to protect from threats seen exploiting this Java vulnerability.
Leave a reply