MiniDuke Targeted Attacks Also Use Java, Internet Explorer Exploits

  /     /     /  
Publicated : 22/11/2024   Category : security


MiniDuke Targeted Attacks Also Use Java, Internet Explorer Exploits


Additional attack vectors also could be found, researchers say



Researchers who first spotted a targeted attack campaign aimed at a small number of government bodes in 23 countries -- mainly in Europe -- say theyve discovered two new attack vectors in the attacks.
The so-called miniDuke campaign first revealed by Kaspersky Lab and CrySys lab late last month
initially was seen
using a zero-day attack exploiting Adobe Reader 9, 10, and 11 (CVE-2013-0640) via spearphishing. The emails included convincing-looking PDF files that contained information on supposed human rights seminar information, Ukraines foreign policy, and NATO membership plans.
But in the latest twist, Kaspersky and CrySys Lab found miniDuke employs two Web-based attack vectors as well. Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets, said Igor Soumenkov, a Kaspersky Lab Expert, in a blog post today. Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate.
The latest versions of Windows, Java, and Reader serve as basic protection from the miniDuke attacks, which Kaspersky Lab has seen attacking some 59 different victim organizations in countries including Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, the U.K., and the U.S.
Soumenkov said the Java exploit abuses the CVE-2013-0422 vulnerability in Java, and looks a lot like the one issued by Metasploit. The code of the exploit is very similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently, most likely to avoid detection. According to HTTP headers of the server, the applet was uploaded on February 11, 2013, one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability, Soumenkov said in his post.
The IE 8 exploit, meanwhile, goes after the CVE-2012-4792 flaw in the browser, and also resembles the corresponding Metasploit module for the bug. The code is also very similar to the Metasploit version of the exploit, while the payload part of the shellcode has been written by the Miniduke authors re-using the backdoors code. The Metasploit code was released on December 29, 2012 and the vulnerability was officially fixed on January 14, 2013 (MS13-008) while the page with the exploit was uploaded on February 11, 2013, Soumenkov said.
Kaspersky Labs latest post on miniDuke is
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MiniDuke Targeted Attacks Also Use Java, Internet Explorer Exploits