Dubbed "Operation Pawn Storm," this series of attacks targets military officials as well as various defense contractors. This campaign follows a common playbook (see Rombertik - Rise of Self Aware Malware) of infecting a Website (or typosquatted domain), making it a phishing site, then targets a small group of users - in this case NATO & US defense organization personnel - with spear-phishing emails. Hackers then deliver malware through legitimate Websites using malicious iframes injected into them. Checkout the Trend Micro's analysis from 2014 on Operation Pawn Storm for more details.
The Return of Java 0days
The group behind Pawn Storm has been active since at least 2007 according to reports and has used a combination of malware-laden spear-phishing emails, watering-hole attacks, and spoofed Microsoft Outlook Web Access login pages to infiltrate systems. The latest twist to Pawn Storm is the delivery of the malware exploiting an unpatched vulnerability in Oracle Java.
While Java is celebrating its 20th anniversary, it's become a write-once-infect-everything platform for malware authors. Java is not broadly used on the Internet today for legitimate purposes. Some decades-old education sites still host Java applets, but more often than not, Java on a modern Web site is likely to be malware. So why keep Java enabled at all? Because many organizations rely on legacy internal or partner applications that still use Java. And all too often when users point their Java-enabled browser to the Internet, BOOM!
Just like it's notorious sibling Flash, enterprises have a love-hate relationship with Java. The recommended best practices for securing Java will tell you to disable Java on the endpoint or turn on Click-To-Play rules. The former makes it impossible to interact with legitimate Java content, and the latter makes the Web less usable, both of which are common side-effects of conventional security approaches.
Blocking swaths of the Web and degrading user experience are not helping us win the cyber war. That's why we've taken a different approach. The Menlo Security Isolation Platform effectively isolates and executes entire Web sessions away from the endpoint, and never allows malware to reach the endpoint, ever. With isolation, users can interact with Java (and Flash) content without any fear of infection - without any impact on their user experience, and without any endpoint software. While it's a bit counter-intuitive, we actually enable enterprises to open up more of the Internet while at the same time reducing their risk.
Going back to the three vectors, here's how our Isolation Platform can help defend against Pawn Storm:
- With our Web Isolation Service, any link in any email is opened in the Platform, which means that no malicious Java or malware of any type ever reaches the endpoint even if a site has been compromised.
- The Isolation Platform fingerprints sites on-the-fly and can automatically isolate any site running vulnerable software and therefore open to serving zero-day malware.
- With the Email Isolation Service, we can integrate with Exchange, Office 365 and Google Apps to rewrite links in emails such that the Isolation Platform opens them in Protected Mode, preventing users from entering sensitive data into phishing sites.
As long as Java (and Flash) exists there will be new zero-day attacks. Any prevention mechanism based on detecting these attacks is, by definition, doomed to fail at some point. Pawn Storm is another unfortunate example of why a new approach to prevention is long overdue.