First Java Zero-Day in Two Years Shows Pawn Storm is Back

Security experts have discovered a new attack as part of the long-running state-sponsored ‘Pawn Storm’ campaign using the first Java zero-day threat spotted since 2013.

Malicious emails targeting a NATO member and a US defense firm were caught by researchers at Trend Micro, the firm noted in a new blog post.

The malicious URLs in these emails are similar to those in attacks targeting NATO members and the White House back in April, the firm said.

The exploit in question apparently affects Java, but not earlier versions 1.6 or 1.7.

Trend Micro continued:

“Once successfully exploited, it executes arbitrary code on the default Java settings thus compromising the security of the system. Trend Micro detects the exploit code as JAVA_DLOADR.EFD. The file which Trend Micro detects as TROJ_DROPPR.CXC drops the payload, TSPY_FAKEMS.C to the login user folder.”

The security vendor is recommending users disable Java in the browser and referred those that can’t to a handy guide on how to mitigate the risk of being hit by an exploit.

“The discovery of these attacks demonstrates that Operation Pawn Storm is still very much in play,” said Tom Kellermann, chief cybersecurity officer at Trend Micro. “We’ve seen geopolitical tension manifest in cyberspace, and this campaign has escalated in parallel with tensions in Eastern Europe.”

Operation Pawn Storm, or APT28 as it’s also known, is a state-sponsored group widely thought to be linked to Moscow.

First discovered in October last year, it has been accused of launching attacks in the past on European defense, government and media organizations, using the SEDNIT malware to steal sensitive information from victims.

It has also focused efforts on the Ukraine region currently at the center of a geopolitical conflict with Russia. Several local activists were targeted, for example.

Pawn Storm was even pegged for a notorious ‘Cyber Caliphate’ attack on French TV station TV5Monde which took several channels off air for hours.

What’s Hot on Infosecurity Magazine?