Attacks/Breaches
8/3/2011
06:25 PM
Connect Directly
RSS
E-Mail
50%
50%

China Suspected Of Shady RAT Attacks

Security experts say it is clear that China is behind the multi-year attack that has compromised scores of companies and government agencies around the world.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Were the recently disclosed Shady RAT attacks launched by people operating for--or on behalf of--China?

Shady RAT--for remote access tool--is the name of the "low and slow" attack detected by McAfee, and detailed in a report it released on Tuesday. According to McAfee, the attack successfully compromised at least 72 organizations, including 22 governmental agencies and contractors, 13 defense contractors, 23 businesses, and think tanks, political nonprofits, and other organizations.

McAfee said that a single entity was behind the attacks. While it declined to name a suspect, it did suggest that a nation state might be the perpetrator. "The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat," according to the McAfee report.

Experts, however, said there was little doubt who launched Shady RAT. "This just further confirms what we already know, that China is doing these things," Joel Brenner, former senior counsel to the NSA, former head of U.S. counterintelligence under the Director of National Intelligence, and currently of counsel to Cooley LLP, told InformationWeek at the Black Hat conference, a UBM TechWeb event, in Las Vegas on Wednesday.

According to leaked, secret U.S. government cables, China began launching online attacks--dubbed by government officials as "Byzantine Hades"--in 2002, if not earlier. Things came to a head in 2009, however, with evidence that there had been Chinese involvement in the Operation Aurora attacks against Google, amongst other companies. In response to the attacks, and in a direct shot at Chinese authorities, Google stopped censoring Google.cn. Unnamed Chinese officials, however, denied that China was involved.

During its Operation Aurora investigation, Google discovered that there had been at least 30 other organizations attacked. "The vast majority of them had no idea that they were victims, until they got a call from Google," said Alex Stamos, CTO of security consulting company iSEC Partners. (While Google didn't name those companies, a leak of emails from HBGary, as detailed by Kaspersky Lab, said that Adobe, DuPont, Juniper Networks, Northrop Grumman, and Sony were among the compromised organizations.)

Why does it take organizations so long to spot these attacks? "Scale, impact, and source," said Joe Gottleib, president and CEO of security event management vendor SenSage, via email. "A slow-moving attack often falls below the radar because it requires methodical analysis of event data, over a broad landscape, and a long period of time. Cyber-cunning is not just about clever attacks. It's about being patient and slow, where real-time analysis simply won't pick you up."

Without a doubt, spotting APT-driven exploits can be quite difficult, even for sophisticated organizations. For example, at the Black Hat conference, Tony Sager, chief of the NSA's information assurance directorate, told InformationWeek that in the NSA's experience with red teaming the Department of Defense, it can take some time to detect quite low-level attacks and, on occasion, the red team needs to escalate the attacks before they get spotted.

Given that status quo, and as Operation Aurora, Night Dragon, and now Shady RAT attacks illustrate, "the rules of engagement are changing, even between nation states," said Sager.

Furthermore, given the anti-security and anti-establishment efforts of Anonymous, LulzSec, and their "anti-security" ilk, the game now involves more than just nation states. "It's a bit chaotic and anarchic recently," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.