Attacks/Breaches
8/3/2011
06:25 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

China Suspected Of Shady RAT Attacks

Security experts say it is clear that China is behind the multi-year attack that has compromised scores of companies and government agencies around the world.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Were the recently disclosed Shady RAT attacks launched by people operating for--or on behalf of--China?

Shady RAT--for remote access tool--is the name of the "low and slow" attack detected by McAfee, and detailed in a report it released on Tuesday. According to McAfee, the attack successfully compromised at least 72 organizations, including 22 governmental agencies and contractors, 13 defense contractors, 23 businesses, and think tanks, political nonprofits, and other organizations.

McAfee said that a single entity was behind the attacks. While it declined to name a suspect, it did suggest that a nation state might be the perpetrator. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat," according to the McAfee report.

Experts, however, said there was little doubt who launched Shady RAT. "This just further confirms what we already know, that China is doing these things," Joel Brenner, former senior counsel to the NSA, former head of U.S. counterintelligence under the Director of National Intelligence, and currently of counsel to Cooley LLP, told InformationWeek at the Black Hat conference, a UBM TechWeb event, in Las Vegas on Wednesday.

According to leaked, secret U.S. government cables, China began launching online attacks--dubbed by government officials as "Byzantine Hades"--in 2002, if not earlier. Things came to a head in 2009, however, with evidence that there had been Chinese involvement in the Operation Aurora attacks against Google, amongst other companies. In response to the attacks, and in a direct shot at Chinese authorities, Google stopped censoring Google.cn. Unnamed Chinese officials, however, denied that China was involved.

During its Operation Aurora investigation, Google discovered that there had been at least 30 other organizations attacked. "The vast majority of them had no idea that they were victims, until they got a call from Google," said Alex Stamos, CTO of security consulting company iSEC Partners. (While Google didn't name those companies, a leak of emails from HBGary, as detailed by Kaspersky Lab, said that Adobe, DuPont, Juniper Networks, Northrop Grumman, and Sony were among the compromised organizations.)

Why does it take organizations so long to spot these attacks? "Scale, impact, and source," said Joe Gottleib, president and CEO of security event management vendor SenSage, via email. "A slow-moving attack often falls below the radar because it requires methodical analysis of event data, over a broad landscape, and a long period of time. Cyber-cunning is not just about clever attacks. It's about being patient and slow, where real-time analysis simply won't pick you up."

Without a doubt, spotting APT-driven exploits can be quite difficult, even for sophisticated organizations. For example, at the Black Hat conference, Tony Sager, chief of the NSA's information assurance directorate, told InformationWeek that in the NSA's experience with red teaming the Department of Defense, it can take some time to detect quite low-level attacks and, on occasion, the red team needs to escalate the attacks before they get spotted.

Given that status quo, and as Operation Aurora, Night Dragon, and now Shady RAT attacks illustrate, "the rules of engagement are changing, even between nation states," said Sager.

Furthermore, given the anti-security and anti-establishment efforts of Anonymous, LulzSec, and their "anti-security" ilk, the game now involves more than just nation states. "It's a bit chaotic and anarchic recently," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web