Ransomware stands out as one of the most alarming issues in the frightening landscape of modern cyberthreats. Through a wide variety of delivery systems and attack types – phishing emails, rootkits, direct deliveries of malware, breaches of IoT-connected devices that infect whole networks and so on – ransomware attackers quite literally hold companies hostage. If financial demands aren't met, these malicious actors destroy valuable organizational data, make it inaccessible through encryption or release it to the public. (Sometimes, attackers do these things even when ransom is paid.)
With all of that taken into consideration, it's entirely understandable that companies across all industries want to protect their networks, data and other IT infrastructure from ransomware campaigns, especially while undertaking legacy application modernization efforts and other forms of digital transformation. But if they're using Java as the programming language to support some of these efforts, they may find themselves running into some trouble. Two recently discovered, notably significant cyberthreats – connected to certain programs created using Java and flaws directly within it, respectively – represent potential deterrents to new app development efforts while also signifying the long-standing security concerns surrounding the highly popular open-source coding language.
GitHub identifies malware vulnerability in Apache NetBeans
Integrated development environment tools provide reliable frameworks in which developers can write and compile applications in a given programming language. For Java, Apache NetBeans is one of the better-known, more widely used IDEs – and in late May, it was found to have been the entry point for a virulent malware strain that spread through GitHub's website.
According to ZDNet, the software development platform explained that the malware in question, which it dubbed "Octopus Scanner," would trigger its infected hosts to download a remote access trojan that could uncover and alter or steal all kinds of sensitive information on Windows, MacOS or Linux machines. It also possessed the ability to jump from NetBeans to other Java projects, and could easily spread to other computers sharing a network with the initial host. GitHub discovered – after speaking with a third-party security specialist who first noticed the issue – that a total of 26 repositories on GitHub's site made using the NetBeans IDE contained the malware.
The GitHub security team did point out that NetBeans was not the most popular Java IDE these days, which might have limited the malware's spread. However, because the vulnerability wasn't immediately discovered and patched, the malware for which it facilitated access could've already been modified to attack other IDEs.
"If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed," the team said in a May 28, 2020 statement.
Security experts connect ransomware attack on European university to Java flaw
In Java, image files in the JIMAGE format contain all of the components necessary for code to run, without functioning, strictly speaking, as actual applications. Nonetheless, security experts from KPMG and BlackBerry, attempting to determine the root cause of a ransomware attack on a European educational institution – which has not yet been publicly identified – found that JIMAGE had been used to deploy the malware in question. According to TechCrunch, the exploit, called Tycoon, encrypted numerous files across the facility's network and demanded payment in cryptocurrency to unlock them. (It remains unclear whether the European institution paid the ransom, which authorities generally discourage victims from doing.)
CyberScoop reported that as of June 4, only about a dozen organizations had borne the brunt of Tycoon's aggression, leading BlackBerry and KPMG personnel to suspect that this particular malware had been tailored to go after very specific targets. The majority of these were software firms or other educational institutions. The security experts noted that some Tycoon victims might have been able to recover their data without paying up because the attackers employed a fairly well-known RSA private key to accomplish the encryption seen in the earliest attacks. However, they also pointed out that the attackers' use of the particular Java file format was novel and made the malware more difficult to find than it ordinarily would have been.
"This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build," BlackBerry researchers said in their official report on the Tycoon cyberattacks. "Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats."