Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
threatpostDennis FisherTHREATPOST:B52CA00FF774207AF12C1CD3F20828B2
HistoryMar 13, 2014 - 1:56 p.m.

Energy Watering Hole Attack Used LightsOut Exploit Kit

2014-03-1313:56:15
Dennis Fisher
threatpost.com
21

0.858 High

EPSS

Percentile

98.6%

JSON

A recent watering-hole attack targeted firms in the energy sector using a compromised site belonging to a law firm that works with energy companies and led victims to a separate site that used the LightsOut exploit kit to compromise their machines.

The attack, which was active during late February according to researchers at Zscaler, follows a familiar pattern seen in many other such attacks. It began with the compromise of a law firm’s site at 39essex[.]com and when users hit the site, they were redirected to a third-party site, which hosted the exploit kit. When victims visited the second compromised site hosting the kit, it performed a number of diagnostic tests on the user’s browser to see what sort of exploits should be delivered.

The kit checks to see whether Java is running, whether the user is running Internet Explorer and what version of Adobe Reader is installed. Once that information is gathered, the LightsOut exploit kit goes to work, firing exploits against the user’s machine.

“Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole. However, other security sources tell us that the site used in the attack is also a known HAVEX RAT CnC,” Chris Mannon of Zscaler wrote in an analysis of the attack.

This most recent attack shares a lot of traits with one that ran last fall, and also targeted firms in the energy and oil sector. In that watering hole attack, the attackers were using Java, IE and Firefox exploits and the malware delivered was used to record system configurations and data on the clipboard and from the keyboard.

The researchers at Zscaler said that the similarities between the two attacks is likely not a coincidence.

“It would seem that the attackers responsible for this threat are back for more,” Mannon said.

_Image from Flickr photos of Joe Stump. _

Related

saint 4
metasploit 1
cisa_kev 1
symantec 1
thn 3
packetstorm 1
cve 2
zdt 1
threatpost 3
checkpoint_advisories 3
ubuntucve 2
prion 2
zdi 1
seebug 1
attackerkb 2
veracode 11
nvd 2
cvelist 2
exploitdb 1
ibm 15
openvas 45
suse 13
nessus 50
oraclelinux 3
redhat 10
centos 3
amazon 2
mageia 2
debian 2
ubuntu 3
securityvulns 1
photon 1
gentoo 2
saint
saint
Oracle Java Runtime Environment AWT storeImageArray Vulnerability
2013-08-30 00:00:00
Oracle Java Runtime Environment AWT storeImageArray Vulnerability
2013-08-30 00:00:00
Oracle Java Runtime Environment AWT storeImageArray Vulnerability
2013-08-30 00:00:00
metasploit
metasploit
Java storeImageArray() Invalid Array Indexing Vulnerability
2013-08-15 23:34:51
cisa_kev
cisa_kev
Oracle Java SE Unspecified Vulnerability
2022-03-28 00:00:00
symantec
symantec
Oracle Java SE CVE-2013-2465 Memory Corruption Vulnerability
2013-06-18 00:00:00
thn
thn
Java-Bot, a Cross-platform malware launching DDoS attacks from infected computers
2014-01-29 00:58:00
New Mac OS Malware exploited two known Java vulnerabilities
2013-09-24 04:15:00
New Mac OS Malware exploited two known Java vulnerabilities
2013-09-24 15:15:00
packetstorm
packetstorm
Java storeImageArray() Invalid Array Indexing
2013-08-16 00:00:00
cve
cve
CVE-2013-2465
2013-06-18 22:55:02
CVE-2013-2464
2013-06-18 22:55:02
zdt
zdt
Java storeImageArray() Invalid Array Indexing Vulnerability
2013-08-17 00:00:00
threatpost
threatpost
AskMen Purportedly Compromised by Nuclear Pack Kit
2014-06-24 09:10:34
Malicious Java App is Cross-Platform Botnet
2014-01-28 14:19:32
NetTraveler Now Using Java Exploits, Watering Hole Attacks
2013-09-03 09:32:29
checkpoint_advisories
checkpoint_advisories
LightsOut/Hello Exploit Kit (CVE-2013-2465)
2014-07-03 00:00:00
Oracle Java Runtime Environment storeImageArray Buffer Overflow (CVE-2013-2465)
2013-09-01 00:00:00
Infinity Exploit Kit Landing Page (CVE-2013-1347; CVE-2013-2423; CVE-2013-2465; CVE-2014-0322; CVE-2014-0502; CVE-2014-1776)
2014-06-10 00:00:00
ubuntucve
ubuntucve
CVE-2013-2465
2013-06-18 00:00:00
CVE-2013-2464
2013-06-18 00:00:00
prion
prion
Design/Logic Flaw
2013-06-18 22:55:00
Design/Logic Flaw
2013-06-18 22:55:00
zdi
zdi
Oracle Java AWT Memory Corruption Remote Code Execution Vulnerability
2013-06-27 00:00:00
seebug
seebug
Java storeImageArray() Invalid Array Indexing Vulnerability
2014-07-01 00:00:00
attackerkb
attackerkb
CVE-2013-2465
2013-06-18 00:00:00
CVE-2013-2464
2013-06-18 00:00:00
veracode
veracode
Sandbox Restrictions Bypass
2019-05-02 04:45:33
Privilege Escalation
2019-05-02 04:46:31
Information Disclosure
2019-05-02 04:46:29
nvd
nvd
CVE-2013-2465
2013-06-18 22:55:02
CVE-2013-2464
2013-06-18 22:55:02
cvelist
cvelist
CVE-2013-2465
2013-06-18 22:00:00
CVE-2013-2464
2013-06-18 22:00:00
exploitdb
exploitdb
Java - 'storeImageArray()' Invalid Array Indexing (Metasploit)
2013-08-19 00:00:00
ibm
ibm
Security Bulletin: CICS Transaction Gateway for Multiplatforms
2022-09-25 22:39:39
Security Bulletin: Flex System Manager (FSM) – June 2013 Java Vulnerabilities
2022-05-16 16:03:13
Security Bulletin: Potential security vulnerabilities with JavaTM SDKs
2022-09-25 21:06:56
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2013:1293-2)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2013:1264-1)
2021-06-09 00:00:00
Oracle Java SE Multiple Vulnerabilities -03 June 13 (Windows)
2013-06-24 00:00:00
suse
suse
Security update for java-1_4_2-ibm (important)
2013-07-27 17:04:24
Security update for IBM Java 1.4.2 (important)
2013-08-05 20:04:12
Security update for java-1_6_0-openjdk (important)
2013-07-23 22:04:14
nessus
nessus
SuSE 10 Security Update : java-1_4_2-ibm (ZYPP Patch Number 8652)
2013-07-28 00:00:00
SuSE 11.2 Security Update : java-1_4_2-ibm (SAT Patch Number 8109)
2013-07-28 00:00:00
Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2013-1014)
2013-07-12 00:00:00
oraclelinux
oraclelinux
java-1.6.0-openjdk security update
2013-07-03 00:00:00
java-1.7.0-openjdk security update
2013-06-19 00:00:00
java-1.7.0-openjdk security update
2013-06-19 00:00:00
redhat
redhat
(RHSA-2013:1014) Important: java-1.6.0-openjdk security update
2013-07-03 00:00:00
(RHSA-2013:1081) Important: java-1.5.0-ibm security update
2013-07-16 00:00:00
(RHSA-2013:0958) Important: java-1.7.0-openjdk security update
2013-06-19 00:00:00
centos
centos
java security update
2013-07-04 10:07:44
java security update
2013-06-20 06:46:44
java security update
2013-06-20 06:43:01
amazon
amazon
Important: java-1.6.0-openjdk
2013-07-12 15:31:00
Important: java-1.7.0-openjdk
2013-06-20 14:14:00
mageia
mageia
Updated java-1.6.0-openjdk packages fix security vulnerabilities
2013-07-16 11:26:07
Updated java-1.7.0-openjdk packages fix multiple security vulnerabilities
2013-06-26 22:13:26
debian
debian
[SECURITY] [DSA 2727-1] openjdk-6 security update
2013-07-25 21:11:57
[SECURITY] [DSA 2722-1] openjdk-7 security update
2013-07-15 15:52:23
ubuntu
ubuntu
OpenJDK 7 vulnerabilities
2013-07-16 00:00:00
IcedTea Web update
2013-07-16 00:00:00
OpenJDK 6 vulnerabilities
2013-07-23 00:00:00
securityvulns
securityvulns
Oracle Java multiple security vulnerabilities
2013-08-28 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0413
2023-06-19 00:00:00
gentoo
gentoo
IcedTea JDK: Multiple vulnerabilities
2014-06-29 00:00:00
Oracle JRE/JDK: Multiple vulnerabilities
2014-01-27 00:00:00

0.858 High

EPSS

Percentile

98.6%

JSON
Related for THREATPOST:B52CA00FF774207AF12C1CD3F20828B2
saint4metasploit1cisa_kev1symantec1thn3packetstorm1cve2zdt1threatpost3checkpoint_advisories3ubuntucve2prion2zdi1seebug1attackerkb2veracode11nvd2cvelist2exploitdb1ibm15openvas45suse13nessus50oraclelinux3redhat10centos3amazon2mageia2debian2ubuntu3securityvulns1photon1gentoo2