Attacks/Breaches
8/3/2011
06:25 PM
Connect Directly
RSS
E-Mail
50%
50%

China Suspected Of Shady RAT Attacks

Security experts say it is clear that China is behind the multi-year attack that has compromised scores of companies and government agencies around the world.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Were the recently disclosed Shady RAT attacks launched by people operating for--or on behalf of--China?

Shady RAT--for remote access tool--is the name of the "low and slow" attack detected by McAfee, and detailed in a report it released on Tuesday. According to McAfee, the attack successfully compromised at least 72 organizations, including 22 governmental agencies and contractors, 13 defense contractors, 23 businesses, and think tanks, political nonprofits, and other organizations.

McAfee said that a single entity was behind the attacks. While it declined to name a suspect, it did suggest that a nation state might be the perpetrator. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat," according to the McAfee report.

Experts, however, said there was little doubt who launched Shady RAT. "This just further confirms what we already know, that China is doing these things," Joel Brenner, former senior counsel to the NSA, former head of U.S. counterintelligence under the Director of National Intelligence, and currently of counsel to Cooley LLP, told InformationWeek at the Black Hat conference, a UBM TechWeb event, in Las Vegas on Wednesday.

According to leaked, secret U.S. government cables, China began launching online attacks--dubbed by government officials as "Byzantine Hades"--in 2002, if not earlier. Things came to a head in 2009, however, with evidence that there had been Chinese involvement in the Operation Aurora attacks against Google, amongst other companies. In response to the attacks, and in a direct shot at Chinese authorities, Google stopped censoring Google.cn. Unnamed Chinese officials, however, denied that China was involved.

During its Operation Aurora investigation, Google discovered that there had been at least 30 other organizations attacked. "The vast majority of them had no idea that they were victims, until they got a call from Google," said Alex Stamos, CTO of security consulting company iSEC Partners. (While Google didn't name those companies, a leak of emails from HBGary, as detailed by Kaspersky Lab, said that Adobe, DuPont, Juniper Networks, Northrop Grumman, and Sony were among the compromised organizations.)

Why does it take organizations so long to spot these attacks? "Scale, impact, and source," said Joe Gottleib, president and CEO of security event management vendor SenSage, via email. "A slow-moving attack often falls below the radar because it requires methodical analysis of event data, over a broad landscape, and a long period of time. Cyber-cunning is not just about clever attacks. It's about being patient and slow, where real-time analysis simply won't pick you up."

Without a doubt, spotting APT-driven exploits can be quite difficult, even for sophisticated organizations. For example, at the Black Hat conference, Tony Sager, chief of the NSA's information assurance directorate, told InformationWeek that in the NSA's experience with red teaming the Department of Defense, it can take some time to detect quite low-level attacks and, on occasion, the red team needs to escalate the attacks before they get spotted.

Given that status quo, and as Operation Aurora, Night Dragon, and now Shady RAT attacks illustrate, "the rules of engagement are changing, even between nation states," said Sager.

Furthermore, given the anti-security and anti-establishment efforts of Anonymous, LulzSec, and their "anti-security" ilk, the game now involves more than just nation states. "It's a bit chaotic and anarchic recently," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio