• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   Taking Stock of Pawn Storm Zero-Day Vulnerabilities

Taking Stock of Pawn Storm Zero-Day Vulnerabilities

  • Posted on:October 21, 2015
  • Posted in:Security, Vulnerabilities
  • Posted by:Christopher Budd (Global Threat Communications)
0

With the most recent Oracle Critical Patch Update that addresses Java CVE-2015-4902, we have the second Pawn Storm-related vulnerability to be patched in less than a week. This also fixes the second Java vulnerability in use in zero-day attacks related to Pawn Storm since July 2015.

In total, Trend Micro’s Vulnerability Research Teams, working with our Forward-Looking Threat Research Team (FTR) have found three vulnerabilities used in zero-day attacks as part of the Pawn Storm campaign since July:

  • Java CVE-2015-2590 patched July 17, 2015
  • Flash CVE-2015-7645 patched October 16, 2015
  • Java CVE-2015-4902 patched October 20, 2015

We have been tracking Pawn Storm closely for over a year now. Over that year, as the Pawn Storm attackers have changed up their game, we’ve seen two things consistently:

  • Pawn Storm attackers are targeting sensitive political, military, and diplomatic targets, primarily in the US (including the White House and State Department) and other NATO allies, but also targets in Ukraine and Russian dissident groups.
  • Pawn Storm attackers are sophisticated in their attacks, comfortably using well-crafted Outlook Web Access phishing pages, creating malicious iOS apps, and advanced vulnerability exploitation techniques against Oracle Java and Adobe Flash.

The attackers have also shown they are aware of our work, redirecting a domain that once hosted the Java zero-day to point to Trend Micro IPs in July.

In the area of attacking vulnerabilities, the Pawn Storm attackers have shown themselves to be especially skilled. As our analysis of both the Oracle Java and Adobe Flash show, the attackers are using very advanced attack techniques. In Java they were able to circumvent click to play, which has helped protect Java from these sorts of attacks for nearly two years. In the case of Flash, they found a way to bypass the Vector<*> mitigation technology developed jointly by Adobe and Google for the first time (that we know of). In both cases, specific mitigation technologies that have helped protect against attacks failed to protect against Pawn Storm attacks.

Fortunately, Trend Micro customers in particular have benefitted from our ongoing work around Pawn Storm. While we have worked with Oracle and Adobe responsibly, we have been able to provide protections for customers using our Deep Security and other products ahead of the vendor patches. This is standard practice with companies that have vulnerability research capabilities. This highlights another benefit to our customers from our broad expertise and capabilities. In addition the existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used detect attacks against the Adobe Flash or Oracle Java vulnerabilities by its behavior without any engine or pattern updates: that technology simply protects out of the box.

There is no indication that Pawn Storm will be coming to an end anytime soon. The most likely thing we can expect next out of Pawn Storm is for attacks to continue and continue growing in sophistication. This means that political, military and diplomatic organizations in the United States and other NATO countries in particular should continue to be on alert for possible attacks. On our side, we will continue the work we’ve been doing for the past year: tracking and thwarting these attacks.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Related posts:

  1. Pawn Storm Targets Adobe Flash, Uses Russian Actions in Syria as Lure
  2. Pawn Storm: Attackers Target MH17 Investigators, Syrian Rebels
  3. Pawn Storm Updates: New Zero-Day Exploit and Attack on Dutch Safety Board
  4. A Storm’s a Coming: How businesses can defend against threat actor groups like Pawn Storm

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.