Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/21/2010
06:11 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Details On Targeted Attacks On Google, Others, Trickle Out

Meanwhile, Microsoft releases emergency patch for IE exploit used in the attacks

New details about the targeted attacks against Google and other U.S. companies that resulted in the theft of source code and other intellectual property emerged today, while Microsoft released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks.

Chenxi Wang, principal analyst for security and risk management at Forrester Research, says Google last week instituted an emergency update to its corporate VPN, raising questions about whether the network was in some way compromised in the attacks. But, she says, Google disputed her initial analysis that the attackers gained access to Google's server via its corporate VPN.

"This is the first we've heard about the VPN involvement at Google. I'm not sure this definitely qualifies as a VPN breach because we don't know what the attacker did to the VPN system -- it's possible that the attacker used the user credentials to log in through the VPN without doing anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. But Google won't say one way or another," Wang says.

A Google spokesperson declined to comment on Wang's findings.

What has been made public about the attack on Google and others is that the attackers employed social engineering via phishing emails with infected links to lure their victims. The links contained an exploit attacking Internet Explorer 6 that dropped a Trojan onto the victim's machine and then allowed the attacker to take control of the victim's machine. The exploit abuses a zero-day vulnerability that is found in all versions of Internet Explorer, but so far has mostly been going after IE 6 machines in the wild now that the exploit code was released publicly.

A malware researcher, meanwhile, has traced the code used in the exploit to Chinese-language authors. While reverse-engineering a sample of the malware used in the attacks, Joe Stewart, director of malware research at Secureworks, discovered some modules in the code have timestamps dating back to May 2006, so the so-called Aurora malware -- a.k.a. the Hydraq Trojan -- was in the works for some time, he says. He says he also found evidence that the code has Chinese origins: It uses a unique implementation of the cyclic redundancy check (CRC) algorithm that is associated with Chinese-language Websites.

Most of the details that have emerged about how the attackers gained access to Google's network and intellectual property have focused mainly on the IE exploit, but security experts say several other exploits were involved in the widespread targeted attacks.

Forrester's Wang, meanwhile, says she believes the "emergency update" to Google's VPN infrastructure was somehow a result of the attack. Wang first raised the possibility that Google's VPN was used to access its server in the attack in a blog post today -- which she has since updated twice after Google first confirmed and then disputed it.

Whether the VPN update was a precautionary measure by Google or purely coincidental is unclear as well.

Still baffling to experts is why a Google user or users would be running the older and less secure version 6 of Microsoft's browser. Security experts have suggested that either some nontechnical Google employees just hadn't bothered to upgrade their browsers, or that the attack could have targeted a Google employee working from his home machine running IE 6.

Wang says Google told her it was possible someone was running IE 6 internally for "testing purposes." That didn't add up for Wang, however: "I can buy that you might be running an older version of a browser for testing purposes (for backward compatibility), but why wasn't the testing environment isolated from production and from access to critical assets? Isn't that one of the first things you do in setting up a test environment?" she wrote in her blog post.

Whatever the reason for the old IE 6 browser, Wang says Google's breach should serve as a cautionary tale for other enterprises. "IT should make sure everyone is running the latest browsers with the latest patches and latest OS -- everything -- and [a] test environment should be entirely separate from the production environment," she says.

Al Huger, vice president of engineering at Immunet, says the attack on Google raises legitimate worries for other companies. "People I've spoken to say if Google, with arguably the brightest security guys in the industry, can get broken into in the heartland of Silicon Valley and have source code stolen, how secure is anybody else?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.