Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:11 PM
Connect Directly

New Details On Targeted Attacks On Google, Others, Trickle Out

Meanwhile, Microsoft releases emergency patch for IE exploit used in the attacks

New details about the targeted attacks against Google and other U.S. companies that resulted in the theft of source code and other intellectual property emerged today, while Microsoft released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks.

Chenxi Wang, principal analyst for security and risk management at Forrester Research, says Google last week instituted an emergency update to its corporate VPN, raising questions about whether the network was in some way compromised in the attacks. But, she says, Google disputed her initial analysis that the attackers gained access to Google's server via its corporate VPN.

"This is the first we've heard about the VPN involvement at Google. I'm not sure this definitely qualifies as a VPN breach because we don't know what the attacker did to the VPN system -- it's possible that the attacker used the user credentials to log in through the VPN without doing anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. But Google won't say one way or another," Wang says.

A Google spokesperson declined to comment on Wang's findings.

What has been made public about the attack on Google and others is that the attackers employed social engineering via phishing emails with infected links to lure their victims. The links contained an exploit attacking Internet Explorer 6 that dropped a Trojan onto the victim's machine and then allowed the attacker to take control of the victim's machine. The exploit abuses a zero-day vulnerability that is found in all versions of Internet Explorer, but so far has mostly been going after IE 6 machines in the wild now that the exploit code was released publicly.

A malware researcher, meanwhile, has traced the code used in the exploit to Chinese-language authors. While reverse-engineering a sample of the malware used in the attacks, Joe Stewart, director of malware research at Secureworks, discovered some modules in the code have timestamps dating back to May 2006, so the so-called Aurora malware -- a.k.a. the Hydraq Trojan -- was in the works for some time, he says. He says he also found evidence that the code has Chinese origins: It uses a unique implementation of the cyclic redundancy check (CRC) algorithm that is associated with Chinese-language Websites.

Most of the details that have emerged about how the attackers gained access to Google's network and intellectual property have focused mainly on the IE exploit, but security experts say several other exploits were involved in the widespread targeted attacks.

Forrester's Wang, meanwhile, says she believes the "emergency update" to Google's VPN infrastructure was somehow a result of the attack. Wang first raised the possibility that Google's VPN was used to access its server in the attack in a blog post today -- which she has since updated twice after Google first confirmed and then disputed it.

Whether the VPN update was a precautionary measure by Google or purely coincidental is unclear as well.

Still baffling to experts is why a Google user or users would be running the older and less secure version 6 of Microsoft's browser. Security experts have suggested that either some nontechnical Google employees just hadn't bothered to upgrade their browsers, or that the attack could have targeted a Google employee working from his home machine running IE 6.

Wang says Google told her it was possible someone was running IE 6 internally for "testing purposes." That didn't add up for Wang, however: "I can buy that you might be running an older version of a browser for testing purposes (for backward compatibility), but why wasn't the testing environment isolated from production and from access to critical assets? Isn't that one of the first things you do in setting up a test environment?" she wrote in her blog post.

Whatever the reason for the old IE 6 browser, Wang says Google's breach should serve as a cautionary tale for other enterprises. "IT should make sure everyone is running the latest browsers with the latest patches and latest OS -- everything -- and [a] test environment should be entirely separate from the production environment," she says.

Al Huger, vice president of engineering at Immunet, says the attack on Google raises legitimate worries for other companies. "People I've spoken to say if Google, with arguably the brightest security guys in the industry, can get broken into in the heartland of Silicon Valley and have source code stolen, how secure is anybody else?"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...