Attacks/Breaches
2/16/2011
06:00 PM
50%
50%

Schwartz On Security: Unraveling Night Dragon Attacks

Attacks launched from China against oil and gas companies used simple hacking tools and even legitimate software.

Vendors as well as government agencies seeking funding love to trot out the "be afraid" mantra. This year's RSA conference is no exception, with Stuxnet now the cause célèbre.

Is there a dose of sabotage in your future? Perhaps, as apparently even the pro-WikiLeaks hacking collective Anonymous now has a copy of Stuxnet. That's according to a recent tweet by one self-described member of the collective known as Topiary.

So if you operate an Internet-connected nuclear centrifuge that runs Siemens Simatic WinCC SCADA systems software, working in conjunction with 33 or more frequency converter drives from specific vendors in Iran or Finland -- all of this being the only environment that Stuxnet targets -- watch out.

For everyone else, it's back-to-basics time, especially in the wake of last week's report from McAfee revealing that since November 2009 -- and possibly earlier -- "coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies."

The goal was apparently simple: to steal confidential and proprietary information, including project-financing details, relating to a number of oil and gas field projects.

While McAfee didn't reveal the targeted companies, it says the operation -- which it dubbed Night Dragon -- appeared to originate in China and to not involve anarchist talent, as attackers worked from 9 to 5, Beijing time. Or in the words of the report, it appears that "the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers." Furthermore, McAfee says it traced at least one person that helped support the attacks -- by leasing Internet hosting to the attackers -- to Heze City, 360 miles from Beijing.

How did attackers break into oil and gas companies? Via the usual suspects: SQL injection attacks to compromise perimeter security, followed by social engineering and phishing attacks, exploiting known Windows and Active Directory vulnerabilities, as well as using customized remote administration tools (RATs) to connect directly with compromised computers.

"These methods and tools are relatively unsophisticated," says George Kurtz, worldwide CTO of McAfee, in a blog post. "The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies."

In other words, unlike Stuxnet, or the Aurora attacks that targeted Google and other major technology companies about a year ago, attackers here used cheap tools and techniques to execute targeted attacks that apparently succeeded at procuring valuable information.

What's the takeaway from Night Dragon, for the energy sector or any other business? Simply this: When it comes to cybercriminals, it's business as normal. "The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data," says Fraser Howard, a principal virus researcher at SophosLabs, in a blog post.

As with so many attacks, criminals relied on known vulnerabilities and common attack vectors. "The truth is that this week is no different to last -- there is no new outbreak, vulnerability, or risk of infection," he says. "Instead, the attacks illustrate the background crimeware menace that all organizations face."

But if there's one immediate takeaway, he says, it's that more organizations should be using potentially unwanted application (PUA) and application control (AppC) detection technology to monitor for legitimate but unwanted software operating inside the network. "The one thing clear from the Night Dragon attacks is that the use of PUA and AppC detections should not be dismissed," says Fraser. "Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit."

In other words, don't be afraid. Simply be prepared.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.