Java Exploit Behind "Red October" Cyber Attacks
Security researchers from Seculert discovered that the attackers of the large-scale cyberespionage operation dubbed "Red October" were taking advantage of Web-based Java exploits as well as malicious Excel and Word documents.
Kaspersky Lab's researchers published the results of their investigation into Red October on Monday. According to their report, the victims were targeted via rogue email messages that contained malicious documents designed to exploit known vulnerabilities in Microsoft Excel and Word.
However, after investigating the Command-and-Control (C2) servers used in the "Red October" campaign, Seculert researchers identified a special folder used by the attackers for an additional attack vector. In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java (CVE-2011-3544), and in the background downloaded and executed the malware automatically, the researchers said.
The discovery was made possible because the attackers switched from using PHP as the server-side scripting language on their command and control servers to CGI. Some older PHP-based attack pages were still left on the servers and accessing them in a browser revealed their source code, the Seculert researchers added.
Further analysis is impossible at this time because the command and control servers have been shut down, most likely by the attackers in an attempt to cover their tracks, Seculert's researchers added.
The attack pages, the Java exploit itself and even the URL for the malware payload contained strings referencing "news," in an effort to trick the victims.
However, after investigating the Command-and-Control (C2) servers used in the "Red October" campaign, Seculert researchers identified a special folder used by the attackers for an additional attack vector. In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java (CVE-2011-3544), and in the background downloaded and executed the malware automatically, the researchers said.
The discovery was made possible because the attackers switched from using PHP as the server-side scripting language on their command and control servers to CGI. Some older PHP-based attack pages were still left on the servers and accessing them in a browser revealed their source code, the Seculert researchers added.
Further analysis is impossible at this time because the command and control servers have been shut down, most likely by the attackers in an attempt to cover their tracks, Seculert's researchers added.
The attack pages, the Java exploit itself and even the URL for the malware payload contained strings referencing "news," in an effort to trick the victims.