Attacks/Breaches
8/11/2011
12:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Shady RAT No China Smoking Gun

Kudos to McAfee for discovering attacks that go undiscovered too often, but questions about attack severity, sophistication, or nation-state backing remain.

Is Shady RAT one of the "the biggest series of cyberattacks in history," as some media outlets have claimed?

McAfee's revelation of the long-running attacks, which have operated on the sly since at least 2006 and compromised more than 70 organizations, was timed to coincide with the publication last week of a related expose in Vanity Fair, as well as the start of the annual Black Hat security conference. McAfee's security researchers have been investigating the attacks-which they dubbed Shady RAT for their use of stealthy remote access tools-for some time.

While the tools used in such attacks can steal information, such attacks apparently exist in relatively low volumes, at least compared with the flood of spam, phishing attacks, and generic malware businesses see daily. But that low volume also makes RAT-style attacks difficult to detect when they do get launched.

If this low volume and persistence sound familiar, that's because it recalls the modus operandi for an advanced persistent threat. Of course, APT is a fuzzy concept. As McAfee's own report on Shady RAT notes, "this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT." (Reference: RSA SecurID breach.) Generally, however, security experts define an APT as a threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, to steal non-financial information of value, often operating without being detected.

The interesting APT-related angle to Shady RAT is that the attackers failed to update their Trojan software attack functionality for more than a year and failed to encrypt the server used to control the Trojans (often used by Chinese attackers). As a result, they left a trail that McAfee's researchers ultimately spotted and traced to the command-and-control server. The attackers had already installed Web traffic analysis tools on the server, further aiding researchers.

But simply discovering that server was somewhat unusual. "It was great that McAfee was able to get access to this data and show how it works," Joe Stewart, director of malware research for Dell SecureWorks, told me last week at Black Hat.

Some security researchers, however, dispute that Shady RAT would even qualify as an APT. "I would contend that it isn't, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case," said Symantec researcher Hon Lau in a blog post. "Sure, the people behind it are persistent, but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."

While McAfee's discovery of the mechanics behind the Shady RAT attacks was new, the existence of the group was already known. Stewart said it's often referred to as the "Comment Crew," for using HTML comments as a mechanism for communicating with the botnet command-and-control servers the group operates. "They've got lots of infrastructure behind it, stuff we'll never get access to," he said. But the group has left tracks before. "One of the malware families belonging to this group is one that we saw using HTran, and sending its data back to China," Stewart said.

As a result of that traffic flow, security experts suspect the Comment Crew is operating from China. McAfee, while saying that it saw a solo "state actor" behind the attacks, stopped short of pointing fingers. Likewise, Alex Gostev, chief security expert for Kaspersky Lab, said that without hard evidence, people should beware jumping to conclusions about who's behind this attack, especially when it comes to the motives of criminal organizations.

For starters, Gostev said, the circumstances surrounding Shady RAT's discovery make the suggestion of state-sponsored hacking tenuous. "A situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them--this is something that can certainly be described as unusual," he said.

Furthermore, when it comes to how Shady RAT was used, McAfee has assumed--based on logs of connections between Web servers--that large organizations were spied on. But the report doesn't identity data that might have been stolen, or which specific Trojan applications were used, which makes it unclear what type of damage Shady RAT may even have caused, Gostev said.

"Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyberattack in history is premature," he said. "Until then, we will consider it an original way of approaching the start of the annual Black Hat conference in Las Vegas."

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.