11:02 AM
Connect Directly

Google Hack Code Released, Metasploit Exploit Now Available

Researchers now say there's no evidence infected PDFs were used in the targeted attacks originating from China on Google and other companies, but investigations continue

Internet Explorer exploit code used in the so-called Aurora attacks out of China against Google and other companies has been posted online -- and now the popular Metasploit hacking tool has released a working exploit of the attack, as well.

The malware, which exploited a zero-day vulnerability in Internet Explorer in targeted attacks against Google and other companies' networks, was used to go after IE 6 browsers in the massive attacks, which ultimately resulted in the theft of intellectual property from Google and other as-yet unnamed organizations. Adobe and Rackspace are among the companies so far that say they were hit by the attacks, which first came to light this past week and were allegedly conducted by hackers in China.

With the IE exploit in the wild now, it could be used by other cybercriminals to go after other organizations or users. And while Metasploit's new exploit is meant for researchers and penetration testers to gauge their vulnerability to the attack, Metasploit is still an open-source tool that can be deployed for nefarious purposes.

"The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," George Kurtz, McAfee's CTO, blogged late yesterday. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."

The IE flaw discovery has prompted the German government to recommend that its citizens no longer use IE and instead run alternative browser until Microsoft comes up with a patch, according to a post on Heise Security.

Researchers working on investigating the attacks say the IE malware was just one weapon used in the attacks.

In a related development, iDefense has retracted its claims that infected PDF files were used in the attacks on Google and others. Earlier last week iDefense had said that malicious PDF file attachments sent via email to the victims were likely the attack vector.

"In iDefense's press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely 'malicious PDF file attachments delivered via email' and suggested that vulnerability in Adobe Reader appeared to have been exploited in these attacks. Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue," iDefense said in a statement late yesterday.

iDefense's statement and revelations by McAfee about its findings led other researchers to back down from their claims of infected PDFs, as well.

Meanwhile, Microsoft provided more details on the actual vulnerability. It's basically a memory-corruption problem that is triggered when an attacker using JavaScript places attack code in the memory.

Users of IE 6 on Windows XP should upgrade to a newer version of IE or enable Data Execution Prevention (DEP), according to Microsoft. All versions of IE crash when the attack code is opened, but you can limit the attack to just crashing the browser by disabling JavaScript and disabling the code from executing in "freed memory," Microsoft suggests. DEP stops code from executing from pages of memory that aren't designated as executable, thus stopping the malware.

Daniel Kennedy, a partner with the Praetorian Security Group, says the attack opens a backdoor into the victim's PC, which gives the attacker carte blanche to do whatever the user can do. "Once the backdoor is open to the user's PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do," Kennedy said in blog post late yesterday.

He also posted a video simulating the attack, using the new Metasploit exploit module. You can view it here.

Meanwhile, the U.S. State Department reportedly may take more formal measures against China over the alleged attacks. State Department officials want answers from China, but thus far have been unsuccessful in doing so in their initial meetings with Chinese officials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.