Zero-day Java exploit shows how fast hackers have become
A recent zero-day exploit for Java (since addressed by an out-of-cycle update from Oracle, although the patch apparently has a flaw of its own), got a lot of attention and generated calls for users to disable or remove Java. Stephen Cobb, security evangelist at ESET, called this “an alternative to keeping up with the patching process.”
But what really got his attention was not the threat to (or from) Java, but the growing efficiency of the malware developers.
“The interesting thing to me is the speed with which an exploit for the vulnerability has been fielded,” he said. “It illustrates the industrialization of malware.”
Time to give up on Java?
Oracle issues patch for Java flaws; attacks tied to Nitro gang
Developers of malicious code are becoming faster, better and more efficient, he said. They are employing a division of labor to take advantage of specialized skill sets and leveraging emerging standards to improve interoperability and ease the job of assembling exploits and tool kits. The result is increased availability of tools for delivering attacks, quietly siphoning off intellectual property and sensitive data, and doing reconnaissance on systems that control our critical infrastructure.
The development isn’t new, and Cobb is not the first to notice it. “It’s been coming for a while,” he said.
It is the result of introduction of the profit motive into hacking. Once the domain of glory-seeking coders or script-kiddies with axes to grind, criminals now are making big bucks from attacks, and nation states apparently are willing to invest money to gain access to tools for espionage and sabotage.
The end result is that the growing ranks of IT security professionals are now being pitted against increasingly professional adversaries. But there still remains at least one advantage for the good guys. Cybersecurity is becoming part of college curriculums, but to date I am not aware of any college or university offering a degree program in malicious coding and system penetration.