Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/25/2010
05:42 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Flaws In The 'Aurora' Attacks

Security experts say targeted attacks could have been much worse, point out strategic errors made by the attackers

The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and other companies, making off with valuable intellectual property and source code, shocking the private sector into the reality of the potential threat of state-sponsored cyberespionage -- but they also made a few missteps along the way that might have prevented far worse damage.

Security experts say while the attacks indeed were potent in their outcome, they were discovered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-yet unnamed companies wasn't especially sophisticated nor unique other than the fact that it was a zero-day exploit. The attacks -- which Google says came out of China -- had been under way for, on average, nearly a month, and Google found them out in mid-December.

Chinese officials yesterday told the state-run Xinhua news agency that the government was not involved in the attacks.

Microsoft last week issued an emergency patch intended to protect Internet Explorer (IE) from the now infamous IE exploit code that was used to infect the front-line victims of the attacks at Google, Adobe, and some of the other targeted firms. Now that the exploit has seen the light of day and has been duplicated in other in-the-wild attacks since, researchers have reverse-engineered it for clues about the attackers and their intentions.

Joe Stewart, director of malware research for Secureworks and the person who discovered some Chinese-language ties to the code, says the so-called "Aurora" code has similar characteristics with other malware. "It's not incredibly sophisticated," Stewart says. "They do put in encryption ... and wrote an actual protocol to send binary [commands]. But that's something we've seen a before in a lot of malware. Still, it's not something amateurs would do."

The attack vector -- using a social engineering phishing message to lure the victims -- wasn't anything new, either. What impressed security researchers who've studied the code was the outcome of the attacks, not the malware.

"The sophistication of the Aurora attacks is less about the malware and zero-day used, and more about the coordinated effort to target and pilfer from an estimated 33 companies in a short period of time," says Marc Maiffret, chief security architect for FireEye. "The exploit is subpar on many levels as it relates to weaponized exploits, and the malware is also of less sophistication than we have seen with even standard botnet. The fact is, these attacks show what is commonplace and already happening every day to businesses relying on legacy AV and IPS technologies."

How the attackers gathered intelligence on the victim companies is still unclear, but sources with knowledge of the events say the attackers gathered the appropriate names and email addresses thanks to "good intelligence" that they were able to use. "The state sponsorship may not be financial, but it is backed with intelligence," one source said in an earlier interview. "What we're seeing is a blending of intelligence work plus malicious cyberattacks."

One theory is that they merely did their own research via the public Web, which can be employed by anyone doing reconnaissance. Another theory is they could have had access to, or compromised, a high-level router that handles traffic to and from Google in China, according to the source.

Maiffret and other security experts say what's most striking is how the attackers were able to hit so many companies at once, and that it appears they were successful in stealing what they were after. "That was definitely sophisticated in itself," Maiffret says.

But there was a downside of waging these attacks en masse -- it was also fairly conspicuous. Google has said publicly that at least 20 companies from a range of industries, including Internet, finance, technology, media, and chemical, were among the casualties, but security sources say it could be up to around 30.

"What was uncommon here was that they hit all of these companies at once. Frankly, that was not particularly clever. That upped their rate of being caught," says Al Huger, vice president of engineering at Immunet. "That's a hallmark of somebody not really knowing what they were doing."

Huger says that doesn't necessarily mean the attacks were not state-sponsored, however. "But whoever did it made some egregious mistakes," he says.

Another big misstep was that the attackers apparently sent the stolen data back to one server location, he says. "All it took was Google to track that server and it could tell who else was compromised" as well, he says. "That's pretty bush league."

Even so, these shortcuts may have been irrelevant to the attackers if they were satisfied with the intellectual property they did score, experts say.

And while the focus thus far publicly has been on the infected client machines, the details are still emerging on how exactly the attackers got the intellectual property from the victims -- and Google and Adobe aren't talking about that publicly. Several scenarios are possible, including the attackers grabbing the infected machine's user credentials, and from there diving deeper into Google and the others, or the attackers used additional exploits to tunnel their way inside, or a combination of the two approaches.

Still, many of the details of the attack may never come to light. Google hasn't elaborated on its initial revelation about the attacks, and since it appears the attackers were mostly after intellectual property, if the other 20- to 30-something companies didn't have customer data exposed in the attacks, they won't necessarily have to step into the spotlight and admit they were attacked, experts say.

Meanwhile, researchers today said that they have spotted the IE Aurora exploit code running on at least one Chinese government Website, adding fuel to speculation about Chinese government backing of the attacks on Google, Adobe, and the other companies. And experts say this is yet another indication that Chinese users may be even more vulnerable to this particular exploit now that it's in the wild than users in the U.S. are.

"The question is, is it CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers?" blogged Zscaler researchers today.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Who knew face masks could also prevent the PII from spreading
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...