Microsoft Subnet An independent Microsoft community View more

Evernote hack forces 50 million to reset passwords, yet another new Java zero-day

After detecting a hack, Evernote is requiring all 50 million customers to change passwords. Although Evernote does not believe the attackers used a critical hole in Java to gain access, there is a new Java zero-day successfully being exploited in the wild.

The cloud-based note-syncing and productivity software service Evernote announced that attackers gained access to accounts' usernames, email addresses and passwords, so 50 million Evernote customers are required to change their passwords. Yet the company maintains this forced service-wide password change is a "precaution to protect your data."

According to Evernote's security notice, "Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service."

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Evernote reminded users to "never click on 'reset password' requests in emails-instead go directly to the service." However, as Naked Security's Graham Cluley pointed out, "Uh-oh, in the same email that Evernote tells users not to click on 'reset password' requests sent via email, they have clickable links. And what might make some recipients pause for thought is that the links don't go directly to evernote.com, but instead link to a site called mkt5371." Cluley explained, "This was just carelessness on Evernote's part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users."

An Evernote company representative told CNET that this breach "follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks." Evernote joined Facebook, Apple, Twitter and Microsoft in a continuing trend of publicly admitting that its company suffered an intrusion. Unlike some of the hacked newspapers and Mandiant's report, Evernote did not mention Chinese hackers. It also did not mention whether the "sophisticated" attack is believed to be linked to Eastern European gang of hackers whom Bloomberg reported are behind some of the Mac attacks to steal company secrets.

Evernote spokeswoman Ronda Scott told Reuters that the Redwood City, California-based company believes "the hackers did not exploit a bug in Java when they broke into the company's system."

Yet another new Java zero-day being exploited in the wild

On that note, the malware intelligence lab FireEye warned that there is yet another Java zero-day that is successfully being exploited "against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed." Threat intelligence firm Cyber Engineering Services Inc (CyberESI) was credited for confirming this new critical hole in Java. After triggering the vulnerability, the attackers install a Trojan dubbed McRAT. Although FireEye wanted to warn the general public, the company:

...notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not execute any unknown Java applets outside of your organization.

Hopefully you disabled Java long ago? Surely you did after experts said it may take two years fix all the Java flaws.

Alex Lanstein, a senior security researcher at FireEye, told Krebs on Security that this is the same malware using the same command and control server as the group that attacked Bit9. Symantec added that attackers using this Trojan "have been extremely persistent and have shown their sophistication in multiple attacks. Their primary motivation has been industrial espionage on a variety of industry sectors. The attackers have employed multiple zero-days." Symantec pointed back to its reports of watering hole attacks and the espionage hacker gang 'Elderwood' that reportedly has 'an unlimited supply of zero-day vulnerabilities.'

On Feb. 28, Oracle assigned CVE-2013-1493 to this new critical Java hole.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.