Attacks/Breaches
2/16/2011
06:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Unraveling Night Dragon Attacks

Attacks launched from China against oil and gas companies used simple hacking tools and even legitimate software.

Vendors as well as government agencies seeking funding love to trot out the "be afraid" mantra. This year's RSA conference is no exception, with Stuxnet now the cause célèbre.

Is there a dose of sabotage in your future? Perhaps, as apparently even the pro-WikiLeaks hacking collective Anonymous now has a copy of Stuxnet. That's according to a recent tweet by one self-described member of the collective known as Topiary.

So if you operate an Internet-connected nuclear centrifuge that runs Siemens Simatic WinCC SCADA systems software, working in conjunction with 33 or more frequency converter drives from specific vendors in Iran or Finland -- all of this being the only environment that Stuxnet targets -- watch out.

For everyone else, it's back-to-basics time, especially in the wake of last week's report from McAfee revealing that since November 2009 -- and possibly earlier -- "coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies."

The goal was apparently simple: to steal confidential and proprietary information, including project-financing details, relating to a number of oil and gas field projects.

While McAfee didn't reveal the targeted companies, it says the operation -- which it dubbed Night Dragon -- appeared to originate in China and to not involve anarchist talent, as attackers worked from 9 to 5, Beijing time. Or in the words of the report, it appears that "the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers." Furthermore, McAfee says it traced at least one person that helped support the attacks -- by leasing Internet hosting to the attackers -- to Heze City, 360 miles from Beijing.

How did attackers break into oil and gas companies? Via the usual suspects: SQL injection attacks to compromise perimeter security, followed by social engineering and phishing attacks, exploiting known Windows and Active Directory vulnerabilities, as well as using customized remote administration tools (RATs) to connect directly with compromised computers.

"These methods and tools are relatively unsophisticated," says George Kurtz, worldwide CTO of McAfee, in a blog post. "The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies."

In other words, unlike Stuxnet, or the Aurora attacks that targeted Google and other major technology companies about a year ago, attackers here used cheap tools and techniques to execute targeted attacks that apparently succeeded at procuring valuable information.

What's the takeaway from Night Dragon, for the energy sector or any other business? Simply this: When it comes to cybercriminals, it's business as normal. "The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data," says Fraser Howard, a principal virus researcher at SophosLabs, in a blog post.

As with so many attacks, criminals relied on known vulnerabilities and common attack vectors. "The truth is that this week is no different to last -- there is no new outbreak, vulnerability, or risk of infection," he says. "Instead, the attacks illustrate the background crimeware menace that all organizations face."

But if there's one immediate takeaway, he says, it's that more organizations should be using potentially unwanted application (PUA) and application control (AppC) detection technology to monitor for legitimate but unwanted software operating inside the network. "The one thing clear from the Night Dragon attacks is that the use of PUA and AppC detections should not be dismissed," says Fraser. "Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit."

In other words, don't be afraid. Simply be prepared.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

See all stories by Mathew J. Schwartz

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio