Application Security // Database Security
11/8/2012
03:35 AM
50%
50%

4 Long-Term Hacks That Rocked 2012

News of lengthy hacker incursions into enterprise databases and networks has been plentiful over the last year -- here's a highlight reel

So far, 2012 has been the year for skeletons falling out of the IT security closet. The headlines have been hopping with stories of companies whose networks and databases were thoroughly owned by hackers for months and years at a time, often undetected until government agents came to let them know they'd been compromised and had been for a while. Many organizations go to great lengths to keep news of these kinds of breaches under wraps if no regulated PII is stolen, but this year many haven't kept the light of day from shining on their deep, dark security inadequacies. Dark Reading took a look at some of the most impactful long-term compromises brought to light in the past year and what these events mean to security pros.

1. U.S. Chamber Of Commerce
In the waning days of 2011, news broke that the U.S. Chamber of Commerce fell victim to a year-long attack from Chinese hackers -- a common origin for many of the long-term hacks described here. In this instance, the FBI told the chamber that attackers were using servers in China to steal information from its network. The organization could never pinpoint an initial point of entry, but as it investigated it found that attackers had booby-trapped its entire network with backdoors to better steal from its data stores.

The publicity of this attack gave us food for thought through the New Year about the way hackers had upped their game in strategic targeting against organizations of all types. It showed a "new level of sophistication," Joe Gottlieb, president and CEO of Sensage, told Dark Reading.

"The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest."

2. Nortel
If one year of unfettered compromise of network and database resources seemed bad, how about ten times that? The security industry had its worst suspicions confirmed about how long attackers could hold onto corporate infrastructures when The Wall Street Journal published insider information that shed light on Nortel's decade spent under the thumb of Chinese hackers prior to the company's parceling itself out to Avaya and several other tech firms in fire sales over the course of 2009 and 2010. Interestingly, Nortel did have a whiff of the unmitigated takeover of its network, but never let on to its acquirers about the bad news.

[Are we lying to the CEOs or are they lying to themselves about database security? See Lies We Tell Our CEOs About Database Security.]

Security experts say Nortel no outlier in corporate America.

"The sad reality is that it's highly likely that Nortel isn't the only company that has been breached for a long time and is just now deciding to disclose it, Marcus Carey, security researcher for Rapid7, told Dark Reading.

The WSJ story heavily featured a former employee who led internal investigations about the attacks who was continually blown off by executives as someone "who cried wolf." This scenario truly highlights the necessity of consensus building and skilled communication coming from the security department in order to truly catalyze the change necessary to detect and stop the pwnage in its tracks.

3. Japan Finance Ministry
This July, the Japan Finance Ministry let slip that it had been the target of a two-year-long incursion into its networks in 2010 and 2011 by hackers using a remote access Trojan. The malware wasn't discovered until well after it was active, but Japanese officials said its initial investigation this summer uncovered 123 of 2,000 computers checked were infected.

The long-term viability of a Trojan on Japanese government PCs offers a good example of how today's attackers are using obfuscated malware to conduct stealthy attacks.

"To get at the root of the problem, security professionals must leverage a great many tools and employ in-depth (and often manual) analysis of log files, network traffic and program code," wrote Stephen Cobb, author of the recent InformationWeek Report, "How Did They Get In? A Guide to Tracking Down the Source of APTs" (PDF).

4. Coca-Cola
Any industry vet would tell you that one of the most favorite example scenarios presented at security conferences about IP theft inevitably wander toward analogies that involve Coca-Cola. "If you were Coke and your IP was stolen, what would that mean to your business?" is the type of hypothetical that plenty of speakers have bandied about. But this week the hypothetical was shown to actually have some basis in fact when a report by BloombergBusinessWeek uncovered an attack on Coca-Cola in 2009 that cut so deep into intellectual property and secret company data that insiders say it played a hand in scuppering the beverage giant's bid to buy a Chinese drinks conglomerate.

Security experts say the attack once again shows the critical need to lock down privileged accounts, as reports show that the Coca-Cola compromise came about first through spearphishing and then got worse through the use of attack targets' legitimate network credentials.

"Whether they're called hard-coded passwords, admin passwords, or privileged accounts, they're all privileged access points that provide a direct -- and often anonymous -- route to an organization's most sensitive data and infrastructure," Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, told Dark Reading.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
11/15/2012 | 7:13:57 PM
re: 4 Long-Term Hacks That Rocked 2012
The new level of sophistication to these recent hacks is scary, especially since they seem to have targeted governmental agencies and large corporations.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.