Attacks/Breaches
2/10/2010
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators

Researchers find 'markers' associated with authors of Aurora malware used in attacks against Google, others

The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.

Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others.

"The attack called Operation Aurora is larger than just [the attacks acknowledged at the] 30 companies. That attack is still in operation and is much larger," says Greg Hoglund, founder and CEO of HBGary, which today published a report on Operation Aurora that recaps where things stand with the investigation.

He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that doesn't mean other investigators or officials have it and just aren't sharing it publicly, Hoglund says. HBGary has found trails left behind in the Aurora code by its creators that are "very specific to the developer who compiled the malware," Hoglund says, and it has Chinese language ties.

HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm's latest analysis tool, he says.

Hoglund says HBGary was able to identify "markers" specific to the way the Aurora developer wrote the malware. But he says his firm did not include this in its new report. "This is not in the report because we don't want him to know what we know about his coding," he says. "[It] is algorithmic in nature."

The Aurora "knock-off" malware based on the publicly released Aurora IE exploit and Metasploit's Aurora exploit wouldn't carry these markers, he says, so investigators would be able to identify whether it was from the same attacker or attackers that hit Google, Adobe, and others.

"We're really just getting started in tracing him," Hoglund says.

Kevin Mandia, CEO of forensics firm Mandiant, also says his firm's investigators are getting close to exposing the creators of the Operation Aurora malware. "We feel like we know a couple of them in their coding -- we recognize their trademarks ... down to the person."

Mandiant, which has been in the business of investigating these targeted, persistent attacks -- also known as advanced persistent threats (APTs) -- has seen the handiwork of these groups of attackers before. "The groups behind these [Aurora] attacks have hacked hundreds of companies" in previous targeted attacks, Mandia says. "At one time we saw over 200 victim [organizations hit by targeted attacks]," he says.

He says attacks that steal intellectual property typically funnel the goods via IP addresses based in China. But Mandia says he doesn't know if the Chinese government is involved in the recent attacks or other APT attacks, though some trends with these attacks raise questions. "We see patterns that just make us curious. If you're doing merger and acquisition work in China, you're targeted," Mandia says. "We've seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China."

Meanwhile, HBGary today released a free tool for downloading that scans and removes the Aurora malware from Windows machines. Hoglund calls it an "inoculation shot."

Still, Hoglund and other security experts note that the attackers didn't use only the Internet Explorer 6 exploit. One source with knowledge of the attacks says the attackers aren't using just phishing emails to deliver their exploits, either. "I know they are not" relying on just the IE exploit via email, the source says.

About 80 percent of APT attacks use custom malware, Mandia says. "We recently took over 1,800 programs we've collected since 2008 that are all part of APT ... and ran it through AV, and only 24 percent of the malware triggered antivirus," he says. "Over a year ago, none of it was triggering AV."

Mandia says that while some Aurora and other APT victims continue to be hammered by attackers sending new malware variants to the already-infected machines, these types of targeted attacks aren't letting up. "There's just another patch of victims somewhere else now," Mandia says.

"Aurora is a wake-up call," says Peter Schlampp, vice president of marketing and product management for forensics firm Solera Networks. "Companies are waking up to the fact that they've under-invested in the area of security around surveillance and monitoring and forensics to get to the bottom of what happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.