The researchers of FireEye began investigation of the vulnerability after Twitter post made by Joshua J. Drake on August, 26.
Vulnerable component: Java SE
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
CWE-ID: CWE-388 - Error Handling
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Known APT campaigns:
A cyber espionage campaign, which we call тАЬKe3chang,тАЭ that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe. The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria. Are known 23 command-and-control (CnC) servers operated by the Ke3chang actor and 21 compromised machines connecting to the CnC server. These included what appear to be three administrative tests by the attackers and two connections from other malware researchers. Among the targets, FireEye identified nine compromises at government ministries in five different European countries. Eight of these compromises were at MFAs.
- Java 7 Applet - Remote Code Execution (Metasploit) [Exploit-DB]