What Do Operation Red October and the Recently Discovered Java Flaw Have in Common?

Java Exploits Detected per Week, before and after the public disclosure of Operation Red October

It is only a couple weeks into 2013, but already two major stories are rocking the security world. On Jan. 10, a malware researcher (@Kafeine) revealed a new Java vulnerability that was already being used in a number of crimeware exploit kits, including Blackhole, Cool Exploit Kit, Impact and Redki. Exploit kits are used to identify endpoint vulnerabilities and select the appropriate exploit for installing a malware payload.

On Jan. 14, Kaspersky Labs announced the discovery of Operation Red October, another exploit kit targeting numerous reputable research companies. Oracle has been feverishly working to patch the Java vulnerability. Interestingly, in the same week, Microsoft announced it would quickly issue an emergency patch for a zero-day vulnerability in Internet Explorer.

IBM analyzed endpoints accessing corporate applications at a Global 1000 financial services company and identified approximately 300 exploits attempting to take advantage of this Java vulnerability a week before it was publicly disclosed. The week following the disclosure, over 500 exploits were attempted, a 74 percent increase from the previous week. This sudden rise tracks closely with prior studies showing a marked jump in infection attempts immediately following the public disclosure of a newly discovered vulnerability. All IBM clients were protected against advanced malware delivered via this exploit, or any other.

Operation Red October is “an elusive cyber espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years,” according to Kaspersky Labs. Victims were targeted by spear-phishing campaigns that included attachments (Microsoft Excel, Word and probably PDF documents) rigged with exploit codes that took advantage of known security vulnerabilities in these applications.

The common theme here is that cyber criminals continue to exploit application vulnerabilities to deliver a malicious payload.

Java and Red October Have Easy Targets

Whether it’s Java, Excel, Word or other widely used applications, browsers, system tools or operating systems, vulnerabilities will always exist. A very large, capable and well-financed global cyber criminal network is continuously searching for new vulnerabilities and creating exploits that can use these flaws to install malware.

What’s more, it doesn’t matter whether the vulnerability is made public. As was the case with Operation Red October, the attackers exploited vulnerabilities that were known since 2010, they just weren’t patched on the targeted devices. While patching doesn’t help protect against unknown (zero-day) vulnerabilities, it does help against known vulnerabilities. Patching is simply a constant game of catch-up. With the wide array of applications now used across a multitude of endpoint devices, staying fully patched is an exercise in futility; something will be overlooked.

Since the advent of phishing, iterated by the original FFIEC Authentication Guidance introduced in 2005, financial institutions have worked under the assumption that customer credentials (usernames and passwords) could very well be compromised. In response, they have put additional authentication and fraud prevention solutions in place to protect the institution if a criminal attempts to access a customer account with compromised credentials.

However, the ease with which criminals can install malware on endpoint devices, coupled with the devastating capabilities of advanced financial malware, introduces a new set of dangers beyond simple credential theft.

Time to Step It Up

As organized armies of cyber criminals work to uncover new application and system vulnerabilities and create exploits that use these flaws to install malware capable of evading all traditional detection technologies, financial institutions must step their defenses up another notch.

Financial institutions have reached a tipping point where they must now recognize, as they have with username and password security, that a majority of customer devices could very well be infected with advanced financial malware. This type of malware can inject fraudulent transactions, steal credentials and authentication factors and take control of legitimate, authenticated online banking sessions. Traditional authentication, fraud detection and antivirus software approaches are simply not capable of protecting against this threat.

Share this Article:
George Tubin

Sr. Security Strategist

George Tubin is the Senior Security Strategist for Trusteer, an IBM company, where he heads the thought leadership program to advance online and mobile banking security and adoption, and advise enterprises on best practices for protecting corporate assets from targeted attacks. With over 25 years in the banking and high-technology industries, his areas of expertise include consumer online and mobile banking, online fraud and identity theft prevention, and enterprise fraud management strategies.