Microsoft Patches JASBUG Exploit that Hackers Abused to Breach Government Networks
Microsoft released a patch yesterday for the Windows operating system, for a bug that hackers had used to previously exploit the United States government and military networks to try and steal sensitive data.
The exploit was believed to be utilized by Chinese hackers in an effort to plant malware on computers running the Windows operating system, and abused it in attempt to steal sensitive data from official U.S. networks. Though, the U.S. military network security systems managers did manage to stop the breach before the Chinese hackers made off with any data.
Cyber threat intelligence solution provider iSight Partners researcher, John Hultquist, said the attacks came from a known Chinese cyber-espionage group called Codoso.
One of the most popular websites online today, Forbes, was the victim of a Codoso attack. The hackers used a widget exploit on the Flash software, utilizing a bug Codoso was believed to have found. Those who visited the Forbes website on a Windows machine during the time of the attack are believed to have been infected.
The malware injected into the widget was online the Forbes website from November 28 up to December 1 2014, a spokeswoman for the site said.
Forbes spokesperson also said the news site took immediate action to clean the site of the malware and stop the ongoing attack. The spokeswoman later said the network has since been cleaned and no data from the Forbes website had been stolen, nor did any groups come forward to take credit for the massive attack.
Hultquist said the cyber intelligence firm has had their eye on the Codoso group and has been tracking the group closely for nearly five years and is almost positive Codoso was behind this government attack.
Security firm, Invincea, provided more insight on the Codoso hacker groups abuse of the exploit. Claiming it also spotted several U.S. military network computers to be have been infected from the Forbes widget malware.
Once the deadly malware infects the Windows computer, it begins logging what software the computer actively opens and runs, and begins to map out the network to find other computers that are vulnerable to be compromised. Hultquist said the Codoso malware aimed to “land and expand.”
“They want to get in and stay in and be as persistent as possible and gather intelligence over a long period of time,” Hultquist told BBC news.
Norm Laudermilch from Invincea said no data was stolen from the federal government and U.S. military networks due to the malware.
Though, Laudermilch continued to say that while analyzing the Codoso group, the malware indicated that it had already been used to infect other websites, and the sheer size and traffic of Forbes alone suggests that hundreds of thousands are currently infected.
Adobe had already released a patch for the bug on its Flash software back on December 9, and Microsoft just recently fixed the bug on their end.
Hultquist continued on Codoso, saying their trail of evidence suggests Codoso is not just any “common-or-garden” cyberespionage group, suggesting Codoso is skilled at espionage and indicates the group is not interested in making money. He continued adding that there are dozens of hacking groups based in China and there are dozens of cybercrime gangs as well.
Microsoft released a patch for an exploit named, “JASBUG,” a name the Redmond company gave the bug in a blog post that detailed further information on how the JASBUG exploit works.
JAS Global Advisors, those responsible for the disclosure of the bug that affected the Windows’ Active Directory domain, said the bug was first reported to Microsoft back in January 2014, and took the company over 12 months to patch the bug as there was a problem in the core design of Windows.
The security firm said all computers and devices that utilize the Active Directory network feature on the operating system were at risk for infection by the exploit. Once compromised, hackers have full control over the Windows machine, allowing them to install and remove software, initiate attacks and abuse the machine to perform tasks.
Microsoft patched the exploit in their most recent patch Tuesday, but Microsoft has warned the patch is not easy to install and has provided network administrators with information regarding the protection of their domains against future attacks.
The patch was made available for all supported Windows versions, excluding Windows Server 2003. Microsoft said they are not able to provide a patch as the operating system’s architecture does not support the software fix. Microsoft advises those running Windows Server 2003 to upgrade to a later and more up to date OS.
Windows home and basic users are not entirely at risk to the JASBUG exploit, but it is still advised to download and install the patch.
