Kaspersky Lab has recently discovered the extent to which a remote access Trojan is being used by cybercriminals, highlighting the security risk from Java Runtime Environment.

Kaspersky Lab discovered that the Adwind remote access Trojan (RAT) discovered in 2012 is being used extensively by cybercriminals to conduct attacks on businesses. The RAT is frequently tweaked to avoid detection with numerous variants currently in use in the wild. The RAT has many names in addition to Adwind, with Alien Spy, JSocket, jRat, and Sockrat just a few of the names of the Adwind malware variants.

The Java-based RAT is now being rented out to criminal gangs to allow them to conduct their opportunistic attacks on companies and individuals, sometimes for as little as $25. Kaspersky Lab estimates that the number of criminals now using the malware has risen to around 1,800. The malware is estimated to be raking in around $200,000 a year for the authors. To date, it is estimated that the RAT has been used to attack as many as 440,000 users.

The frequency of attacks is also increasing. In the past 6 months, around 68,000 new infections have been discovered.

Have You Effectively Managed the Security Risk from Java Runtime Environment?

The latest variant is known as JSocket. The malware is believed to have first appeared in the summer of 2015 and is still being extensively used. The RAT is most commonly spread by phishing campaigns with users fooled into running the Java file, installing the Trojan. While the RAT is primarily distributed by large-scale email spam campaigns, some evidence has been uncovered to suggest it is being used as part of targeted attacks on individuals and organizations.

This is a cross-platform malware that can be used on Windows, Linux, Android, and Mac OS systems. It serves as a backdoor allowing cybercriminals to gain access to the system on which it is installed, effectively allowing them to take control of devices, gather data, log keystrokes, and exfiltrate data. It is also capable of moving laterally. It is written entirely in Java and can be used to attack any system that supports the Java Runtime Environment.

The security risk from Java Runtime Environment is considerable. Kaspersky Lab recommends that all organizations review their use of JRE and disable it whenever possible.

Unfortunately, many businesses use Java-based applications, and disabling or uninstalling JRE is likely to cause problems.  However, it is essential to manage the security risk from Java Runtime Environment to prevent infections from Adwind and its variants.

If there is no need for JRE to be installed on computers, it should be removed. It represents an unnecessary risk that could result in a business network being compromised.

If it is not possible to disable JRE, it is possible to protect computers from Adwind/JSocket. Since this malware is commonly sent out as a Java archive file, the code can be prevented from running by changing the program used to open JAR files.

Have you managed the security risk from Java Runtime Environment? Is JRE unnecessarily installed on computers used to access your network?