There is no shortage of cybersecurity hazards out in the world, and organizations have to take all of them seriously. Just looking at recent news, you'll see major stories of ransomware attacks that crippled national and global supply chain infrastructure, per CBS News, such as the May 2021 attack on Colonial Pipeline and the shutdown of meat processing plant JBS just a month later.
As alarmed by these headline-grabbing items as IT executives and company leaders should be, it's important not to let these larger-than-life dangers make you lose focus on other cyber vulnerabilities and threat vectors that are more subtle but can ultimately be just as dangerous. The risks to applications and system tools made with inherently unsafe open-source code like Java should be high on the list of "quiet but deadly" cyber hazards. As we will see, several recent developments throughout the late winter, spring and early summer of 2021 showcased the potential liabilities of Java tools in stark relief.
Flaws discovered in Java Runtime Environment
ZDNet reported Feb. 23 that IBM had issued a series of advisories regarding vulnerabilities found within the Java-based IBM Planning Analytics Workspace and Java Runtime Environment. These bulletins included breakdowns of the threats and potential mitigation strategies.The five flaws in the former application were not as serious, with an average Common Vulnerability Scoring System rating of 7 (and one was a mere 4.3), but all of them still could've been used as backdoors through which black-hat hackers could plant and execute malicious exploits, or steal critical data.
The Runtime Environment vulnerabilities were a mixed bag. One, centered around Libraries within Java Standard Edition, could allow an intruder to compromise SE as a whole but required a sandbox environment to execute, making it impractical as a cyberattack tool. On the other end of the spectrum was CVE-2020-27221, a weakness affecting the Eclipse OpenJ9 virtual machine implementation framework. Rated on the CVSS as a 9.8 critical threat, this vulnerability would allow a remote attacker to overflow the virtual machine simply by sending an extremely long string of code. Once the OpenJ9 buffer is overwhelmed, an intruder can bend it to their will through whatever arbitrary code they chose to execute, or simply crash it for the sake of chaos.
While patches for the programs affected by these vulnerabilities were made available by IBM almost instantly, the stories we'll examine in just a moment show that the existence of a patch in no way means a vulnerability can't still cause harm.
An old threat bedevils SAP
Unless an organization sets up an automated patching system on its network to proliferate bug fixes throughout all machines the company uses, there's no guarantee that every user will be protected. People forget to implement patches all the time when they're tasked with handling them manually. Enterprise software giant SAP, working alongside the Onapsis Research Labs cybersecurity firm, released a report April 6 that showed several bugs that'd been devastating to its programs were still in circulation, causing harm despite the availability of patches.
Most dangerous among these is a bug called RECON that, about one year ago, affected the LM Configuration Wizard within the Java-based SAP NetWeaver. Through this vulnerability, rated 10 by the CVSS, running a simple HTTP exploit could open up the Wizard — and, ultimately, all of NetWeaver — to full admin-level unauthorized control. An intruder could shut down SAP programs remotely or steal untold amounts of data. Although a patch for RECON was released July 14, 2020, the joint SAP/Onapsis report found numerous attacks had exploited the underlying vulnerability since then due to poor patch discipline.
Five other flaws were also covered in the report, including two with CVSS scores of 10: The first allows cyberattackers to gain full admin control of a SAP product suite by infiltrating SAP Solution Manager, while the other uses weaknesses in NetWeaver authentication to establish similarly wide-ranging control. Although patches exist for both, hackers have found workarounds and are still using the exploits.
STRRAT on the loose
German infosec research firm G Data Solutions discovered the STRRAT malware module in early July of 2020. This exploit was created entirely with Java code, and was devised to record keystroke data for credential theft. It is delivered through phishing campaigns. Once downloaded, it triggers Java Runtime Environment (which must be in use for it to run) or prompts the installation of that program, and then goes to work looking for login data. STRRAT also appends an extension onto files it has affected that makes them look like they've been encrypted (though they haven't been).
Back then, STRRAT had major limitations, because it couldn't affect Mac users or anyone using Microsoft Outlook for their email. However, the version of it discovered by Microsoft researchers in late May 2021 is different, and is not automatically being blocked by specific email platforms. Organizations must simply raise awareness about how best to avoid phishing emails — and it certainly couldn't hurt to minimize or completely eradicate the use of Java.