Attacks/Breaches
1/27/2010
02:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anatomy Of A Targeted, Persistent Attack

New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property and proprietary information -- and their links to China

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks -- including the recent ones on Google, Adobe, and other companies -- almost always are successful and undetectable until it's too late.

The so-called advanced persistent threat (APT) attack model and case studies outlined in the report from forensics firm Mandiant are based on real-world attacks Mandiant has probed during the past seven years in the government and private industries. Though the report describes the brand of attack that hit Google, Adobe, and 20 to 30 other organizations, Mandiant wouldn't comment on whether its forensics experts are involved in the so-called Aurora attack that allegedly came out of China.

Most of the APT attack cases that Mandiant has worked on for the past few years have had ties to China: "The vast majority of APT activity observed by MANDIANT has been linked to China," the report says. And existing security tools are no match for these attacks -- only 24 percent of the malware used in the attacks Mandiant has investigated were detected by security software, the report says.

"The fact that there is more activity around this [threat] in the past two to three weeks is good. Hopefully, this continues and gets people talking about being aware of it," says Michael Malin, executive vice president at Mandiant. "The APT is a reality; it's out there ... it's not just a government or defense issue. We're seeing it at the commercial level, as well."

As a matter of fact, Mandiant has worked with 10 percent of Fortune 100 companies on APT attacks in their organizations, according to Malin. "And we've responded to computer security incidents at 20 percent of Fortune 100 [companies]," including APT and payment card attacks.

It's not that these attacks are anything new. A published report in the Christian Science Monitor this week revealed a wave of APT attacks that occurred in 2008 against the oil industry, including Marathon Oil, ExxonMobil, and ConocoPhillips, all of which didn't realize the extent of the damage until 2009, when the FBI told them "proprietary" data had been siphoned from their computers. It's more that regulatory -- business pressures are now forcing companies like Google to own up to their victimization, security experts say.

Mandiant's Malin says APT attacks are waged by teams of hackers who go after different levels of the infrastructure: "They are going after the network level, or the host-based level," he says. "There's a lot of coordination."

And sometimes the teams don't even know the other is already inside the victim's network. Even so, they typically are working for the same cause, usually espionage, he says. And once they are in, they don't need to hack through again; they set up camp with a longer-term presence that allows them to move about the company freely and typically undetected.

"From a security point of view, there's no magic bullet" to these attacks, says Alan Shimel, CEO of The CISO Group. "Nothing is going to make you immune."

The most effective way to shut down such an attack, however, is to uncover and block the command and control (C&C) conduit between the compromised systems and the attackers, says Gunter Ollmann, vice president of research for Damballa. "Then they have to go to their backup systems and reinfect the host," Ollmann says. "The Achilles' heel is their C&C. They require interactive access to the systems to control them and to target and extricate information ... by detecting and denying that, you've muted the attack."

APT attacks typically have a correlation between political or business activity or events, Mandiant's Malin says. And they often are waged as a campaign for a specific type of information or intelligence. For example, in one series of attacks on local, state, and federal agencies that Mandiant worked on, which was featured in the report, the attackers were after counter-terrorism intelligence.

Malware used in APT attacks is basically hidden in plain sight, in a low-profile, camouflaged manner. Mandiant says the average file size is a relatively diminutive 121.85 kilobytes, and that only 10 percent of any of these backdoor programs were "packed," a technique that can be easily spotted. But more advanced attackers do pack their malware in. Among the most common file names for the malware: svchost.exe, iexplore.exe, iprinp.dll, and winzf32.dll -- all of which wouldn't raise any red flags and could easily be overlooked. Most of these attackers evade anomaly detection by using outbound HTTP connections, as well as process injection.

Mandiant's report also drew some connections between these attacks and China: The attackers mostly work during daytime hours in China, which is nighttime in the U.S., the report says. "APT-associated activity typically occurs on any given weeknight except for foreign and major U.S. holidays," the report says. "This indicates the attackers know when new information may be available for exfiltration." Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.