Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:42 PM
Connect Directly

Flaws In The 'Aurora' Attacks

Security experts say targeted attacks could have been much worse, point out strategic errors made by the attackers

The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and other companies, making off with valuable intellectual property and source code, shocking the private sector into the reality of the potential threat of state-sponsored cyberespionage -- but they also made a few missteps along the way that might have prevented far worse damage.

Security experts say while the attacks indeed were potent in their outcome, they were discovered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-yet unnamed companies wasn't especially sophisticated nor unique other than the fact that it was a zero-day exploit. The attacks -- which Google says came out of China -- had been under way for, on average, nearly a month, and Google found them out in mid-December.

Chinese officials yesterday told the state-run Xinhua news agency that the government was not involved in the attacks.

Microsoft last week issued an emergency patch intended to protect Internet Explorer (IE) from the now infamous IE exploit code that was used to infect the front-line victims of the attacks at Google, Adobe, and some of the other targeted firms. Now that the exploit has seen the light of day and has been duplicated in other in-the-wild attacks since, researchers have reverse-engineered it for clues about the attackers and their intentions.

Joe Stewart, director of malware research for Secureworks and the person who discovered some Chinese-language ties to the code, says the so-called "Aurora" code has similar characteristics with other malware. "It's not incredibly sophisticated," Stewart says. "They do put in encryption ... and wrote an actual protocol to send binary [commands]. But that's something we've seen a before in a lot of malware. Still, it's not something amateurs would do."

The attack vector -- using a social engineering phishing message to lure the victims -- wasn't anything new, either. What impressed security researchers who've studied the code was the outcome of the attacks, not the malware.

"The sophistication of the Aurora attacks is less about the malware and zero-day used, and more about the coordinated effort to target and pilfer from an estimated 33 companies in a short period of time," says Marc Maiffret, chief security architect for FireEye. "The exploit is subpar on many levels as it relates to weaponized exploits, and the malware is also of less sophistication than we have seen with even standard botnet. The fact is, these attacks show what is commonplace and already happening every day to businesses relying on legacy AV and IPS technologies."

How the attackers gathered intelligence on the victim companies is still unclear, but sources with knowledge of the events say the attackers gathered the appropriate names and email addresses thanks to "good intelligence" that they were able to use. "The state sponsorship may not be financial, but it is backed with intelligence," one source said in an earlier interview. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."

One theory is that they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China, according to the source.

Maiffret and other security experts say what's most striking is how the attackers were able to hit so many companies at once, and that it appears they were successful in stealing what they were after. "That was definitely sophisticated in itself," Maiffret says.

But there was a downside of waging these attacks en masse -- it was also fairly conspicuous. Google has said publicly that at least 20 companies from a range of industries, including Internet, finance, technology, media, and chemical, were among the casualties, but security sources say it could be up to around 30.

"What was uncommon here was that they hit all of these companies at once. Frankly, that was not particularly clever. That upped their rate of being caught," says Al Huger, vice president of engineering at Immunet. "That's a hallmark of somebody not really knowing what they were doing."

Huger says that doesn't necessarily mean the attacks were not state-sponsored, however. "But whoever did it made some egregious mistakes," he says.

Another big misstep was that the attackers apparently sent the stolen data back to one server location, he says. "All it took was Google to track that server and it could tell who else was compromised" as well, he says. "That's pretty bush league."

Even so, these shortcuts may have been irrelevant to the attackers if they were satisfied with the intellectual property they did score, experts say.

And while the focus thus far publicly has been on the infected client machines, the details are still emerging on how exactly the attackers got the intellectual property from the victims -- and Google and Adobe aren't talking about that publicly. Several scenarios are possible, including the attackers grabbing the infected machine's user credentials, and from there diving deeper into Google and the others, or the attackers used additional exploits to tunnel their way inside, or a combination of the two approaches.

Still, many of the details of the attack may never come to light. Google hasn't elaborated on its initial revelation about the attacks, and since it appears the attackers were mostly after intellectual property, if the other 20- to 30-something companies didn't have customer data exposed in the attacks, they won't necessarily have to step into the spotlight and admit they were attacked, experts say.

Meanwhile, researchers today said that they have spotted the IE Aurora exploit code running on at least one Chinese government Website, adding fuel to speculation about Chinese government backing of the attacks on Google, Adobe, and the other companies. And experts say this is yet another indication that Chinese users may be even more vulnerable to this particular exploit now that it's in the wild than users in the U.S. are.

"The question is, is it CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers?" blogged Zscaler researchers today.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.