Application Security //

Database Security

11/8/2012
03:35 AM
50%
50%

4 Long-Term Hacks That Rocked 2012

News of lengthy hacker incursions into enterprise databases and networks has been plentiful over the last year -- here's a highlight reel

So far, 2012 has been the year for skeletons falling out of the IT security closet. The headlines have been hopping with stories of companies whose networks and databases were thoroughly owned by hackers for months and years at a time, often undetected until government agents came to let them know they'd been compromised and had been for a while. Many organizations go to great lengths to keep news of these kinds of breaches under wraps if no regulated PII is stolen, but this year many haven't kept the light of day from shining on their deep, dark security inadequacies. Dark Reading took a look at some of the most impactful long-term compromises brought to light in the past year and what these events mean to security pros.

1. U.S. Chamber Of Commerce
In the waning days of 2011, news broke that the U.S. Chamber of Commerce fell victim to a year-long attack from Chinese hackers -- a common origin for many of the long-term hacks described here. In this instance, the FBI told the chamber that attackers were using servers in China to steal information from its network. The organization could never pinpoint an initial point of entry, but as it investigated it found that attackers had booby-trapped its entire network with backdoors to better steal from its data stores.

The publicity of this attack gave us food for thought through the New Year about the way hackers had upped their game in strategic targeting against organizations of all types. It showed a "new level of sophistication," Joe Gottlieb, president and CEO of Sensage, told Dark Reading.

"The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest."

2. Nortel
If one year of unfettered compromise of network and database resources seemed bad, how about ten times that? The security industry had its worst suspicions confirmed about how long attackers could hold onto corporate infrastructures when The Wall Street Journal published insider information that shed light on Nortel's decade spent under the thumb of Chinese hackers prior to the company's parceling itself out to Avaya and several other tech firms in fire sales over the course of 2009 and 2010. Interestingly, Nortel did have a whiff of the unmitigated takeover of its network, but never let on to its acquirers about the bad news.

[Are we lying to the CEOs or are they lying to themselves about database security? See Lies We Tell Our CEOs About Database Security.]

Security experts say Nortel no outlier in corporate America.

"The sad reality is that it's highly likely that Nortel isn't the only company that has been breached for a long time and is just now deciding to disclose it, Marcus Carey, security researcher for Rapid7, told Dark Reading.

The WSJ story heavily featured a former employee who led internal investigations about the attacks who was continually blown off by executives as someone "who cried wolf." This scenario truly highlights the necessity of consensus building and skilled communication coming from the security department in order to truly catalyze the change necessary to detect and stop the pwnage in its tracks.

3. Japan Finance Ministry
This July, the Japan Finance Ministry let slip that it had been the target of a two-year-long incursion into its networks in 2010 and 2011 by hackers using a remote access Trojan. The malware wasn't discovered until well after it was active, but Japanese officials said its initial investigation this summer uncovered 123 of 2,000 computers checked were infected.

The long-term viability of a Trojan on Japanese government PCs offers a good example of how today's attackers are using obfuscated malware to conduct stealthy attacks.

"To get at the root of the problem, security professionals must leverage a great many tools and employ in-depth (and often manual) analysis of log files, network traffic and program code," wrote Stephen Cobb, author of the recent InformationWeek Report, "How Did They Get In? A Guide to Tracking Down the Source of APTs" (PDF).

4. Coca-Cola
Any industry vet would tell you that one of the most favorite example scenarios presented at security conferences about IP theft inevitably wander toward analogies that involve Coca-Cola. "If you were Coke and your IP was stolen, what would that mean to your business?" is the type of hypothetical that plenty of speakers have bandied about. But this week the hypothetical was shown to actually have some basis in fact when a report by BloombergBusinessWeek uncovered an attack on Coca-Cola in 2009 that cut so deep into intellectual property and secret company data that insiders say it played a hand in scuppering the beverage giant's bid to buy a Chinese drinks conglomerate.

Security experts say the attack once again shows the critical need to lock down privileged accounts, as reports show that the Coca-Cola compromise came about first through spearphishing and then got worse through the use of attack targets' legitimate network credentials.

"Whether they're called hard-coded passwords, admin passwords, or privileged accounts, they're all privileged access points that provide a direct -- and often anonymous -- route to an organization's most sensitive data and infrastructure," Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, told Dark Reading.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
11/15/2012 | 7:13:57 PM
re: 4 Long-Term Hacks That Rocked 2012
The new level of sophistication to these recent hacks is scary, especially since they seem to have targeted governmental agencies and large corporations.
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.