‘Nitro’ gang said to be behind first attacks using zero-day Java flaw used to spread malware
Symantec says an Asian hacker group was behind the first attacks to exploit a flaw in Oracle’s Java software. Photograph: Paul Sakuma/AP
An Asian hacker group dubbed “Nitro”, because its previous targets include chemicals manufacturing companies, was behind the first attacks to exploit a flaw in Oracle’s Java software, says the security company Symantec.
Although little is known about the group, it is thought that they did not discover the flaw themselves but may have bought it from a commercial group that specialises in selling details about “zero-day” flaws in software that can be used to penetrate commercial or government systems, even when they have the most up-to-date cybersecurity in place.
“We can confirm that some of the attackers behind this latest round of attacks are actually the Nitro gang,” Symantec says.
Orla Cox, senior manager for security response, told the Guardian that the gang had first been spotted online in October 2011, using a command server located in Singapore that was used to control the siphoning of information from 29 US, UK and Bangladesh-based chemical manufacturing companies, many listed on the stock market. She declined to name them, citing customer confidentiality.
The latest attacks, which have led to widespread advice that users should disable Java on their browsers, were spotted last week.
But Cox said that new evidence collected by Symantec indicated that the Nitro group was sending out targeted emails, again to chemicals companies, since 22 August – before the vulnerability was spotted by security researchers.
The emails contained a link which, if clicked, would take unsuspecting users to websites. Those then exploited the flaw in Java to load malware on their machine and leave it open to being surreptitiously controlled, so that information on it or its network could be siphoned to the gang.
“They haven’t used a zero-day attack before, which indicates that they don’t as a group have that expertise,” Cox said.
She said that suggests that they acquired it commercially rather than discovering it themselves.
Zero-day flaws are a burgeoning commercial field in the underground hacker economy where some gangs work to order for commercial or government clients which want to break into systems.
Discovering them can take a long time and special expertise; deploying them tends to require much less skill.
Symantec said it could not identify the Nitro gang’s location, as the Singaporean command computer could be controlled from anywhere in the world.
But it seemed likely, said Cox, that the gang is based somewhere in the region.
Technical details
The attackers have been using this zero-day for several days since August 22. We have located two compromised websites serving up the malware:
- ok.XXXX.net/meeting/applet.jar
- 62.152.104.XXX/public/meeting/applet.jar
One sample of malware downloaded by the exploit has been identified as 4a55bf1448262bf71707eef7fc168f7d – “hi.exe” or “Flash_update.exe”
This particular sample connects to hello.icon.pk, which resolves to 223.25.233.244. That same IP was used by the Nitro attackers back in 2011.
The Java exploit is detected by Symantec as Java.Awetook. The vulnerability consists of a privilege escalation due to a class that allows access to protected members of system classes, which should not be accessible. Because of this, malicious code can bypass the restrictions imposed by the sandbox and use the “getRuntime().exec()” function in order to execute a malicious payload. In our tests, we have confirmed that the zero-day works on the latest version of Java (JRE 1.7), but it does not work on the older version JRE 1.6. A proof of concept for the exploit has been published and the vulnerability has already been added in Metasploit.
IPS detections for the exploit are covered under:
Oracle has issued a patch—Java SE 7 Update 7—that addresses CVE-2012-4186. Users are advised to download the latest update.
