Attacks/Breaches
8/3/2011
06:25 PM
Connect Directly
RSS
E-Mail
50%
50%

China Suspected Of Shady RAT Attacks

Security experts say it is clear that China is behind the multi-year attack that has compromised scores of companies and government agencies around the world.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Were the recently disclosed Shady RAT attacks launched by people operating for--or on behalf of--China?

Shady RAT--for remote access tool--is the name of the "low and slow" attack detected by McAfee, and detailed in a report it released on Tuesday. According to McAfee, the attack successfully compromised at least 72 organizations, including 22 governmental agencies and contractors, 13 defense contractors, 23 businesses, and think tanks, political nonprofits, and other organizations.

McAfee said that a single entity was behind the attacks. While it declined to name a suspect, it did suggest that a nation state might be the perpetrator. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat," according to the McAfee report.

Experts, however, said there was little doubt who launched Shady RAT. "This just further confirms what we already know, that China is doing these things," Joel Brenner, former senior counsel to the NSA, former head of U.S. counterintelligence under the Director of National Intelligence, and currently of counsel to Cooley LLP, told InformationWeek at the Black Hat conference, a UBM TechWeb event, in Las Vegas on Wednesday.

According to leaked, secret U.S. government cables, China began launching online attacks--dubbed by government officials as "Byzantine Hades"--in 2002, if not earlier. Things came to a head in 2009, however, with evidence that there had been Chinese involvement in the Operation Aurora attacks against Google, amongst other companies. In response to the attacks, and in a direct shot at Chinese authorities, Google stopped censoring Google.cn. Unnamed Chinese officials, however, denied that China was involved.

During its Operation Aurora investigation, Google discovered that there had been at least 30 other organizations attacked. "The vast majority of them had no idea that they were victims, until they got a call from Google," said Alex Stamos, CTO of security consulting company iSEC Partners. (While Google didn't name those companies, a leak of emails from HBGary, as detailed by Kaspersky Lab, said that Adobe, DuPont, Juniper Networks, Northrop Grumman, and Sony were among the compromised organizations.)

Why does it take organizations so long to spot these attacks? "Scale, impact, and source," said Joe Gottleib, president and CEO of security event management vendor SenSage, via email. "A slow-moving attack often falls below the radar because it requires methodical analysis of event data, over a broad landscape, and a long period of time. Cyber-cunning is not just about clever attacks. It's about being patient and slow, where real-time analysis simply won't pick you up."

Without a doubt, spotting APT-driven exploits can be quite difficult, even for sophisticated organizations. For example, at the Black Hat conference, Tony Sager, chief of the NSA's information assurance directorate, told InformationWeek that in the NSA's experience with red teaming the Department of Defense, it can take some time to detect quite low-level attacks and, on occasion, the red team needs to escalate the attacks before they get spotted.

Given that status quo, and as Operation Aurora, Night Dragon, and now Shady RAT attacks illustrate, "the rules of engagement are changing, even between nation states," said Sager.

Furthermore, given the anti-security and anti-establishment efforts of Anonymous, LulzSec, and their "anti-security" ilk, the game now involves more than just nation states. "It's a bit chaotic and anarchic recently," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.