A Java Zero Day exploit is seeing use in attacks aimed at the armed forces of a NATO member country and a defense organization based in the United States, Trend Micro said.
The unpatched Oracle Java SE remote code execution vulnerability is seeing action from a group known as Pawn Storm, APT28, Sednit, Fancy Bear, Tsar Team, and Sofacy, Trend Micro said.
At one point Java Zero Days seemed commonplace, but this is the first Java Zero Day attack reported in nearly two years.
Trend Micro has not released any technical information on the Zero Day. Researchers said the vulnerability affects the latest version of Java, 220.127.116.11, but older versions such as 1.6 and 1.7 do not suffer from the issue. Oracle is working with Trend Micro on analyzing the threat.
In the attacks on the NATO member country and the U.S. defense organization, the attackers sent out emails that contained links to malicious domains hosting the Java exploit (JAVA_DLOADR.EFD). The exploit delivers a Trojan dropper (TROJ_DROPPR.CXC) that drops a payload detected as SPY_FAKEMS.C to the “login user” folder.
Experts have pointed out that the domains hosting the Java Zero Day exploit are similar to the ones used in April 2015 in attacks targeting NATO members and the White House.