Attacks/Breaches
9/7/2012
11:07 AM
Connect Directly
RSS
E-Mail
50%
50%

Google Aurora Attackers Still On Loose, Symantec Says

Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Whatever happened to the group of attackers that successfully hacked into Google in 2009?

That attack, first disclosed by Google in January 2010 and later dubbed "Operation Aurora"--for the Aurora (a.k.a. Hydraq) Trojan horse application used--was described at the time by Google as "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." The attack became the basis for what's now generally referred to as the advanced persistent threat (APT), meaning an exploit that's been launched by a technologically astute as well as patient attacker.

Three years later, it turns out that the gang behind the Aurora attacks is still at large, and apparently more technologically advanced than ever. That revelation comes via Symantec, which Friday released a report on the gang and its attack campaigns, which Symantec has dubbed the "Elderwood Project." Elderwood refers to the infrastructure that the gang uses--and to speed up their attacks, largely reuses--to rapidly integrate new zero-day exploits and launch attacks.

One of the major findings from Symantec's report, which notably doesn't mention China or ascribe a geographical location to the origin of the attacks, is that although the gang might still be compromising targets via spear-phishing attacks as it did with Google, it also has begun using what Symantec has dubbed "watering hole" attacks. This means the gang compromises sites that it believes its targets will visit, in advance of their doing so.

[ Read 8 Lessons From Nortel's 10-Year Security Breach. ]

"The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him," according to blog post from Symantec Security Response. In the case of the Aurora gang, this approach involves exploiting the target site, and then attempting to compromise and automatically install a Trojan backdoor application on every PC that visits the site. Symantec said it's seen up to three different zero-day attacks being used in a 30-day period in related attacks.

As that suggests, the attackers seem to have access to top-notch information security expertise. "The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent," said Symantec. In other words, the attackers aren't stingy.

"Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011," said Symantec. But just in the past few months, the gang has exploited a record four different zero-day vulnerabilities in its attacks. "Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many," the company said.

The most recently used zero-day attacks targeted two previously unknown flaws in Adobe Flash Player, one in Internet Explorer, and one in Microsoft XML Core Services. All of the exploits can be used to remotely execute code on infected systems. "In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," said Symantec. "This effort would be substantially reduced if they had access to source code."

Who's most at risk of attack by this gang? Symantec said that to date, defense contractors "who manufacture electronic or mechanical components that are sold to top-tier defense companies" are the principle victims. In other words, businesses outside of that sector shouldn't have to worry about being directly attacked by this particular gang.

But for any businesses in the defense sector, or which works with the defense sector, watch out, and especially for business partners with a weak information security posture. That's because the gang has no qualms about compromising the systems of one of its target's business partners, and then using that business partner's systems to attack and exploit the actual target.

"The attackers do so expecting weaker security postures in these lower tier organizations and might use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company," said Symantec.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

CVE-2014-2966
Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.