Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/16/2010
11:57 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Nothing New In Aurora Hack

Attackers targeting victims through phishing e-mails that lure users to maliciously crafted Web sites is nothing new. But it does highlight the sophistication of the modern attacker.

Attackers targeting victims through phishing e-mails that lure users to maliciously crafted Web sites is nothing new. But it does highlight the sophistication of the modern attacker.We don't know many details about how Google was hacked, or all of the other companies that were involved, but we do know that the attackers used targeted phishing e-mails to trick users into clicking on a link that led them to a maliciously crafted Web site. That Web site then used an exploit to infect the victims' systems through a vulnerability in a web browser, in this case Internet Explorer.

This is a very old story. According to an Anti-Phishing Working Group report published in September, the number of phishing Web sites (which is essentially what a significant portion of this hack was) reached 49,084 in June of 2009. Everyday Internet users are targeted with phishing attacks to steal their identities, credit card and bank account information, customer lists, trade secrets - whatever may be of value.

What's interesting here is who the attackers are alleged to be, and the high-profile nature of the targeted companies. It's also noteworthy that a zero-day vulnerability was used, as opposed to a vulnerability that has already been disclosed - which is still way more common.

The fact that professional attackers have increasingly been turning to specialized, highly-targeted attacks designed has been happening for awhile, and that's certainly what appears to have happened in this wave of attacks. Way back in 2007 (many lifetimes in Internet years), the U.S.-China Economic and Security Review Commission (USSC) cited Chinese espionage as one of the top risks to the U.S. technology industry. There's a link to the report, and an overview of a wave of hacking known as "Titan Rain" that is eerily similar to this most recent episode in this post from 2008: China's Long List Of hacking Denials. It also quotes a Chinese official claiming China doesn't have the skills to conduct such attacks.

None of this should be of any surprise to anyone who has been paying attention.

We've known that such highly-targeted attacks occur, but they've mostly been discussed as targeting government agency networks. Now we see, clearly, that they're used for corporate espionage and that they are very effective.

The recent attacks also underscores the fact that security managers should forget about big scary and nebulous figures such as 25 million new malware variants hitting the Web in a single year. Instead, they should work on protecting the infrastructure with the necessary technology and employee security awareness training needed as if the organization was being targeted by a handful of highly skilled, educated, and motivated attackers. That's the threat landscape any business with intellectual property faces every single day.

From Dark Reading:

Dmitri Alperovitch, vice president of threat research at McAfee, says the attack using the IE flaw was what allowed intruders to take over victims' machines and then access their company networks and resources. "All the user had to do was click on the link and the malware was automatically downloaded onto their machine, and it proceeded to update itself," Alperovitch says. "One of the modules was a remote-control capability that allowed them to take over the machine. From that point forward, they had access to the [victim's] network and could do reconnaissance and exfiltrate any data they encountered, and go after key resources."

Sure, the attacks were discovered, but once the malicious payload is delivered and the attacker gained control of the target's system the damage is done within minutes and hours. Any additional time is gravy for the attacker.

The best - but certainly not perfect - defense is a layer of defenses. Make sure employees are properly trained to not open attachments or click on links in suspecting e-mails. In the event that training fails, make sure end point anti-malware and personal firewalls are running and operating systems and applications are patched. It's also a great idea to make sure you are filtering Web traffic through a URL and reputation filter.

And, for the next few days or weeks, closely monitor Microsoft Security Advisory (979352) for updates to the zero-day in Internet Explorer that made the remote attacks possible.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.