Attacks/Breaches
2/16/2011
06:00 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Schwartz On Security: Unraveling Night Dragon Attacks

Attacks launched from China against oil and gas companies used simple hacking tools and even legitimate software.

Vendors as well as government agencies seeking funding love to trot out the "be afraid" mantra. This year's RSA conference is no exception, with Stuxnet now the cause célèbre.

Is there a dose of sabotage in your future? Perhaps, as apparently even the pro-WikiLeaks hacking collective Anonymous now has a copy of Stuxnet. That's according to a recent tweet by one self-described member of the collective known as Topiary.

So if you operate an Internet-connected nuclear centrifuge that runs Siemens Simatic WinCC SCADA systems software, working in conjunction with 33 or more frequency converter drives from specific vendors in Iran or Finland -- all of this being the only environment that Stuxnet targets -- watch out.

For everyone else, it's back-to-basics time, especially in the wake of last week's report from McAfee revealing that since November 2009 -- and possibly earlier -- "coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies."

The goal was apparently simple: to steal confidential and proprietary information, including project-financing details, relating to a number of oil and gas field projects.

While McAfee didn't reveal the targeted companies, it says the operation -- which it dubbed Night Dragon -- appeared to originate in China and to not involve anarchist talent, as attackers worked from 9 to 5, Beijing time. Or in the words of the report, it appears that "the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers." Furthermore, McAfee says it traced at least one person that helped support the attacks -- by leasing Internet hosting to the attackers -- to Heze City, 360 miles from Beijing.

How did attackers break into oil and gas companies? Via the usual suspects: SQL injection attacks to compromise perimeter security, followed by social engineering and phishing attacks, exploiting known Windows and Active Directory vulnerabilities, as well as using customized remote administration tools (RATs) to connect directly with compromised computers.

"These methods and tools are relatively unsophisticated," says George Kurtz, worldwide CTO of McAfee, in a blog post. "The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies."

In other words, unlike Stuxnet, or the Aurora attacks that targeted Google and other major technology companies about a year ago, attackers here used cheap tools and techniques to execute targeted attacks that apparently succeeded at procuring valuable information.

What's the takeaway from Night Dragon, for the energy sector or any other business? Simply this: When it comes to cybercriminals, it's business as normal. "The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data," says Fraser Howard, a principal virus researcher at SophosLabs, in a blog post.

As with so many attacks, criminals relied on known vulnerabilities and common attack vectors. "The truth is that this week is no different to last -- there is no new outbreak, vulnerability, or risk of infection," he says. "Instead, the attacks illustrate the background crimeware menace that all organizations face."

But if there's one immediate takeaway, he says, it's that more organizations should be using potentially unwanted application (PUA) and application control (AppC) detection technology to monitor for legitimate but unwanted software operating inside the network. "The one thing clear from the Night Dragon attacks is that the use of PUA and AppC detections should not be dismissed," says Fraser. "Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit."

In other words, don't be afraid. Simply be prepared.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web