DHS’s CERT unit doubles down on warnings regarding Java-based remote access malware

Earlier this month, our blog pointed out two significant security issues stemming from flaws within the Java programming language. One of these was cyberattackers' use of a particular aspect of Java to write malware that would be much harder for targets' security teams to detect than the average cyberthreat of its kind. 

Now, it appears that federal authorities – specifically, a branch of the U.S. Computer Emergency Response Team within the Department of Homeland Security – have confirmed and arguably reinforced the dangers of this particular web hazard. It will be critical for organizations about to engage in various system improvements, ranging from data scraping efforts to full-fledged digital transformation campaigns, to more thoroughly understand the gravity of this particular threat based on the further evidence discovered by government experts.

CERT clarifies levels of damage that the Tycoon malware can do

The original discovery of this new malware, which has been dubbed "Tycoon," came in the context of a joint report crafted by BlackBerry and KPMG, the key results of which were released June 4, according to TechCrunch. Per the tech industry news provider, KPMG was initially called in to directly address a cyberattack against an educational facility in Europe and aid in recovery efforts after the Tycoon attack had encrypted large swaths of the institution's data. 

concept image of hacker in hooded outfit behind layers of binary code
U.S. federal cybersecurity authorities confirmed that the detrimental effects of a Java-based malware strain could be even more devastating to victims than was previously believed.

About two weeks later, a New Zealand-based US-CERT team released an announcement through the main agency's website regarding the ransomware strain, albeit without directly naming Tycoon: The agency referred specifically to "a ransomware campaign leveraging remote access technologies," which is precisely how Tycoon works. So while it's certainly possible that CERT might have also been referring to other cyberthreats with similar profiles, there is not really much doubt that the Tycoon strain is a key subject of the government's warning.

"Malicious cyber actors are targeting organizations' networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication," CERT explained in its official advisory regarding Tycoon and any other types of malware or ransomware like it. "After gaining access, cyber actors use various tools … for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup."

The latter aspect of Tycoon and its counterparts, as described by CERT, is arguably the most alarming: Although backups are still well worth keeping in place, the level of remote access that cyberattackers can gain using these new malware strains is so great that they could, in theory, either disable backups themselves or do enough damage before they are detected that backups won't be sufficient as a recovery tool.

Further insight regarding Java's facilitation of the threat

Claudiu Teodorescu, BlackBerry's director of threat hunting and intelligence, provided additional insight regarding the novel – and alarming – way in which Tycoon used Java to conceal itself from the security tools of its targets in an interview with Data Center Knowledge.

"[Antivirus programs] don't see [Java] as an executable file," Teodorescu said, according to the news source. Referring to Tycoon's specific use of the Java JIMAGE format as an attack vector, he added: "Java uses that format internally to share functionality and share code to be used by developers. It's an internal format that's not very well documented." 

Tycoon attacks represent the first known instance of hackers exploiting JIMAGE as a threat vector, using the format to build Java Runtime Environment architectures. These code-based creations technically are not applications – which is why firewalls and antivirus tools most likely don't detect them – but contain all of the elements necessary to run an app and can thus function according to the destructive whims of their malicious users. 

The matter is not without hope, as BlackBerry VP of Guard Services Eric Milam told Data Center Knowledge that the newest endpoint detection and response systems probably could catch Java-based attacks due to EDR's use of system behavior analysis. But unless organizations invest in such tools, they're still exposed to this unique Java-facilitated threat.

Java's dangerous pattern

The dangers represented by Tycoon are just one of the latest in a fairly long chain of discovered Java vulnerabilities. While largely attributable to the open-source nature of the code, that likely is not reassuring for organizations hoping to improve existing apps, create new app frameworks or engage in other modernization tasks – quite the opposite, in fact. Ultimately, it may be best for developers to avoid the issue entirely and use other codes and solutions. 

Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary terminal emulation tool called Inventu Viewer+, a high performance emulation solution that is built with C at its core. This solution allows developers to craft reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, Inventu Viewer+ supports streamlined IT modernization and meets employer and staff expectations in a way that feels both familiar and simple. Contact us today or review our extensive product catalog to see how Inventu can help you rid your servers of unsafe Java with a server product built over decades in the ever-reliable C language.