Attacks/Breaches
8/11/2011
12:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Shady RAT No China Smoking Gun

Kudos to McAfee for discovering attacks that go undiscovered too often, but questions about attack severity, sophistication, or nation-state backing remain.

Is Shady RAT one of the "the biggest series of cyberattacks in history," as some media outlets have claimed?

McAfee's revelation of the long-running attacks, which have operated on the sly since at least 2006 and compromised more than 70 organizations, was timed to coincide with the publication last week of a related expose in Vanity Fair, as well as the start of the annual Black Hat security conference. McAfee's security researchers have been investigating the attacks-which they dubbed Shady RAT for their use of stealthy remote access tools-for some time.

While the tools used in such attacks can steal information, such attacks apparently exist in relatively low volumes, at least compared with the flood of spam, phishing attacks, and generic malware businesses see daily. But that low volume also makes RAT-style attacks difficult to detect when they do get launched.

If this low volume and persistence sound familiar, that's because it recalls the modus operandi for an advanced persistent threat. Of course, APT is a fuzzy concept. As McAfee's own report on Shady RAT notes, "this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT." (Reference: RSA SecurID breach.) Generally, however, security experts define an APT as a threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, to steal non-financial information of value, often operating without being detected.

The interesting APT-related angle to Shady RAT is that the attackers failed to update their Trojan software attack functionality for more than a year and failed to encrypt the server used to control the Trojans (often used by Chinese attackers). As a result, they left a trail that McAfee's researchers ultimately spotted and traced to the command-and-control server. The attackers had already installed Web traffic analysis tools on the server, further aiding researchers.

But simply discovering that server was somewhat unusual. "It was great that McAfee was able to get access to this data and show how it works," Joe Stewart, director of malware research for Dell SecureWorks, told me last week at Black Hat.

Some security researchers, however, dispute that Shady RAT would even qualify as an APT. "I would contend that it isn't, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case," said Symantec researcher Hon Lau in a blog post. "Sure, the people behind it are persistent, but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."

While McAfee's discovery of the mechanics behind the Shady RAT attacks was new, the existence of the group was already known. Stewart said it's often referred to as the "Comment Crew," for using HTML comments as a mechanism for communicating with the botnet command-and-control servers the group operates. "They've got lots of infrastructure behind it, stuff we'll never get access to," he said. But the group has left tracks before. "One of the malware families belonging to this group is one that we saw using HTran, and sending its data back to China," Stewart said.

As a result of that traffic flow, security experts suspect the Comment Crew is operating from China. McAfee, while saying that it saw a solo "state actor" behind the attacks, stopped short of pointing fingers. Likewise, Alex Gostev, chief security expert for Kaspersky Lab, said that without hard evidence, people should beware jumping to conclusions about who's behind this attack, especially when it comes to the motives of criminal organizations.

For starters, Gostev said, the circumstances surrounding Shady RAT's discovery make the suggestion of state-sponsored hacking tenuous. "A situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them--this is something that can certainly be described as unusual," he said.

Furthermore, when it comes to how Shady RAT was used, McAfee has assumed--based on logs of connections between Web servers--that large organizations were spied on. But the report doesn't identity data that might have been stolen, or which specific Trojan applications were used, which makes it unclear what type of damage Shady RAT may even have caused, Gostev said.

"Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyberattack in history is premature," he said. "Until then, we will consider it an original way of approaching the start of the annual Black Hat conference in Las Vegas."

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio