Application Security // Database Security
11/8/2012
03:35 AM
Connect Directly
RSS
E-Mail
50%
50%

4 Long-Term Hacks That Rocked 2012

News of lengthy hacker incursions into enterprise databases and networks has been plentiful over the last year -- here's a highlight reel

So far, 2012 has been the year for skeletons falling out of the IT security closet. The headlines have been hopping with stories of companies whose networks and databases were thoroughly owned by hackers for months and years at a time, often undetected until government agents came to let them know they'd been compromised and had been for a while. Many organizations go to great lengths to keep news of these kinds of breaches under wraps if no regulated PII is stolen, but this year many haven't kept the light of day from shining on their deep, dark security inadequacies. Dark Reading took a look at some of the most impactful long-term compromises brought to light in the past year and what these events mean to security pros.

1. U.S. Chamber Of Commerce
In the waning days of 2011, news broke that the U.S. Chamber of Commerce fell victim to a year-long attack from Chinese hackers -- a common origin for many of the long-term hacks described here. In this instance, the FBI told the chamber that attackers were using servers in China to steal information from its network. The organization could never pinpoint an initial point of entry, but as it investigated it found that attackers had booby-trapped its entire network with backdoors to better steal from its data stores.

The publicity of this attack gave us food for thought through the New Year about the way hackers had upped their game in strategic targeting against organizations of all types. It showed a "new level of sophistication," Joe Gottlieb, president and CEO of Sensage, told Dark Reading.

"The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest."

2. Nortel
If one year of unfettered compromise of network and database resources seemed bad, how about ten times that? The security industry had its worst suspicions confirmed about how long attackers could hold onto corporate infrastructures when The Wall Street Journal published insider information that shed light on Nortel's decade spent under the thumb of Chinese hackers prior to the company's parceling itself out to Avaya and several other tech firms in fire sales over the course of 2009 and 2010. Interestingly, Nortel did have a whiff of the unmitigated takeover of its network, but never let on to its acquirers about the bad news.

[Are we lying to the CEOs or are they lying to themselves about database security? See Lies We Tell Our CEOs About Database Security.]

Security experts say Nortel no outlier in corporate America.

"The sad reality is that it's highly likely that Nortel isn't the only company that has been breached for a long time and is just now deciding to disclose it, Marcus Carey, security researcher for Rapid7, told Dark Reading.

The WSJ story heavily featured a former employee who led internal investigations about the attacks who was continually blown off by executives as someone "who cried wolf." This scenario truly highlights the necessity of consensus building and skilled communication coming from the security department in order to truly catalyze the change necessary to detect and stop the pwnage in its tracks.

3. Japan Finance Ministry
This July, the Japan Finance Ministry let slip that it had been the target of a two-year-long incursion into its networks in 2010 and 2011 by hackers using a remote access Trojan. The malware wasn't discovered until well after it was active, but Japanese officials said its initial investigation this summer uncovered 123 of 2,000 computers checked were infected.

The long-term viability of a Trojan on Japanese government PCs offers a good example of how today's attackers are using obfuscated malware to conduct stealthy attacks.

"To get at the root of the problem, security professionals must leverage a great many tools and employ in-depth (and often manual) analysis of log files, network traffic and program code," wrote Stephen Cobb, author of the recent InformationWeek Report, "How Did They Get In? A Guide to Tracking Down the Source of APTs" (PDF).

4. Coca-Cola
Any industry vet would tell you that one of the most favorite example scenarios presented at security conferences about IP theft inevitably wander toward analogies that involve Coca-Cola. "If you were Coke and your IP was stolen, what would that mean to your business?" is the type of hypothetical that plenty of speakers have bandied about. But this week the hypothetical was shown to actually have some basis in fact when a report by BloombergBusinessWeek uncovered an attack on Coca-Cola in 2009 that cut so deep into intellectual property and secret company data that insiders say it played a hand in scuppering the beverage giant's bid to buy a Chinese drinks conglomerate.

Security experts say the attack once again shows the critical need to lock down privileged accounts, as reports show that the Coca-Cola compromise came about first through spearphishing and then got worse through the use of attack targets' legitimate network credentials.

"Whether they're called hard-coded passwords, admin passwords, or privileged accounts, they're all privileged access points that provide a direct -- and often anonymous -- route to an organization's most sensitive data and infrastructure," Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, told Dark Reading.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
11/15/2012 | 7:13:57 PM
re: 4 Long-Term Hacks That Rocked 2012
The new level of sophistication to these recent hacks is scary, especially since they seem to have targeted governmental agencies and large corporations.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.