Attacks/Breaches
9/7/2012
11:07 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Google Aurora Attackers Still On Loose, Symantec Says

Gang that attacked Google in 2009 has continued operating, stealing sensitive data via zero-day attacks and compromising target companies' business partners.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Whatever happened to the group of attackers that successfully hacked into Google in 2009?

That attack, first disclosed by Google in January 2010 and later dubbed "Operation Aurora"--for the Aurora (a.k.a. Hydraq) Trojan horse application used--was described at the time by Google as "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." The attack became the basis for what's now generally referred to as the advanced persistent threat (APT), meaning an exploit that's been launched by a technologically astute as well as patient attacker.

Three years later, it turns out that the gang behind the Aurora attacks is still at large, and apparently more technologically advanced than ever. That revelation comes via Symantec, which Friday released a report on the gang and its attack campaigns, which Symantec has dubbed the "Elderwood Project." Elderwood refers to the infrastructure that the gang uses--and to speed up their attacks, largely reuses--to rapidly integrate new zero-day exploits and launch attacks.

One of the major findings from Symantec's report, which notably doesn't mention China or ascribe a geographical location to the origin of the attacks, is that although the gang might still be compromising targets via spear-phishing attacks as it did with Google, it also has begun using what Symantec has dubbed "watering hole" attacks. This means the gang compromises sites that it believes its targets will visit, in advance of their doing so.

[ Read 8 Lessons From Nortel's 10-Year Security Breach. ]

"The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him," according to blog post from Symantec Security Response. In the case of the Aurora gang, this approach involves exploiting the target site, and then attempting to compromise and automatically install a Trojan backdoor application on every PC that visits the site. Symantec said it's seen up to three different zero-day attacks being used in a 30-day period in related attacks.

As that suggests, the attackers seem to have access to top-notch information security expertise. "The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent," said Symantec. In other words, the attackers aren't stingy.

"Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011," said Symantec. But just in the past few months, the gang has exploited a record four different zero-day vulnerabilities in its attacks. "Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many," the company said.

The most recently used zero-day attacks targeted two previously unknown flaws in Adobe Flash Player, one in Internet Explorer, and one in Microsoft XML Core Services. All of the exploits can be used to remotely execute code on infected systems. "In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," said Symantec. "This effort would be substantially reduced if they had access to source code."

Who's most at risk of attack by this gang? Symantec said that to date, defense contractors "who manufacture electronic or mechanical components that are sold to top-tier defense companies" are the principle victims. In other words, businesses outside of that sector shouldn't have to worry about being directly attacked by this particular gang.

But for any businesses in the defense sector, or which works with the defense sector, watch out, and especially for business partners with a weak information security posture. That's because the gang has no qualms about compromising the systems of one of its target's business partners, and then using that business partner's systems to attack and exploit the actual target.

"The attackers do so expecting weaker security postures in these lower tier organizations and might use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company," said Symantec.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web