Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aurora Attack — Resistance Is Futile, Pretty Much

Posted by kdawson on from the big-leagues dept.

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

19 of 268 comments (clear)

  1. Re:Who clicked on the PDF? by biryokumaru · · Score: 5, Informative

    Major attack preventer: Google docs PDF reader.

    --
    When you're afraid to download music illegally in your own home, then the terrorists have won!
  2. Re:Who clicked on the PDF? by EvanED · · Score: 2, Informative

    Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

    This is Slashdot. Who clicks on the article links?

    On a serious note, the Link Alert extension for Firefox will put an icon following links that go to a PDF file. (I know that the /. editors kindly put "(PDF)" after it, but to be honest I tuned it out, and if I felt like reading TFA would have just clicked.)

  3. Re:Who clicked on the PDF? by Anonymous Coward · · Score: 1, Informative

    Please provide evidence. Not in the form of an attack page, obviously, but a cite.

  4. Packet Filter by nuckfuts · · Score: 4, Informative

    If you don't expect/want traffic from China, configure your firewall to block IP addresses assigned to China.

    1. Re:Packet Filter by nacturation · · Score: 3, Informative

      Or, more succinctly: http://www.blockacountry.com/

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  5. Re:Number 5? by Anonymous Coward · · Score: 1, Informative

    Browser exploit to get on the box.

    Privilege escalate to LOCAL/Admin.

    Grab the user's NT security token (metasploit), or keylog the password.

    Enumerate machines (dsquery) to find out where Admin is logged in.

    Log into that box.

    Privelege escalate to Admin.

    Steal his token.

    You are now Enterprise Admin.

  6. Re:Number 5? by DigiShaman · · Score: 4, Informative

    Sorry for the follow up post, but I think I now understand in a round about way. You have to be a member of the Domain Admins group to join a PC to the Domain. It's those Domain Admin credentials that get cached - per PC that's been previously joined. YIKES! So if a user is a member of the local Administrators group, he also has access to the local SAMS database. Root the box, and you might be able to recover the cached passwords from it.

    Be sure to change your Domain Admins password often. Honestly, how many people often do that? More than they should really.

    --
    Life is not for the lazy.
  7. Unrestricted Warfare by Anonymous Coward · · Score: 4, Informative

    That paper was this one hosted on Cryptome: Unrestricted Warfare
    by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999)
    It is translated by the FBIS, the CIA's Foreign Broadcast Information Service, which collects and translates reports from around the globe.

  8. Chinese Patience by IonOtter · · Score: 3, Informative

    When I was in the military, we used to shred our secret documents to NSA specs, which is 0.8mm x 4mm. That's about the same width as the "i" in the subject, and about twice as long.

    In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill, so everything would be reduced to powder.

    They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.

    Those people had stereo microscopes in their homes and apartments, and were reassembling the documents and crypto tapes, one tiny piece at a time.

    The Chinese have existed as a nation for longer than any other civilization on the face of this planet, and they take the "long view" in such things.

    --
    [End Of Line]
    1. Re:Chinese Patience by VendettaMF · · Score: 5, Informative

      > The Chinese have existed as a nation for longer than any other civilization on the face of this planet,
      > and they take the "long view" in such things.

      Thankfully both of these are incorrect to a lesser and greater degree respectively.

      There may have been people living in the areas of land now referred to as China, but any links between historical cultures and thought and the modern morass are purely fictional.

      And as anyone who has done business in/with China can tell you one of the biggest problems inherent to the nation is a complete inability to plan ahead or consider delayed benefits. None of the Chinese businesses I've worked in, nor the government bureaucracy I've suffered through, have ever included any possibility of passing up 10 bucks in their pocket right now in exchange for a thousand tomorrow.

      We're dealing with a cultural mindset that would unhesitatingly slaughter the goose that laid the golden eggs, not in hopes of finding lots of eggs inside (that assumption requires some logical thought and deductive reasoning), but simply to take its feed and head for picking.

      There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

      The unstable legal system is partly at fault here. There is just no way in this culture to be sure that your products won't be outlawed/super-taxed next week. Money under the mattress is the only surety.

      --
      kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
    2. Re:Chinese Patience by turing_m · · Score: 2, Informative

      Same thing happened when the Iranians overtook the US Embassy in 1979.

      The difference was that the Iranians only had to piece together strip cut shredded documents. Not .8mmx4mm (level 6). From what I can tell, this is still the highest standard of shredding used in the USA. To piece that together requires completing a 19k piece jigsaw per page, something I tend to doubt that you are going to do by hand - each page is going to take longer than 30 days for a family to complete. http://www.worldslargestpuzzle.com/hof-010.html - that's what it took for a family to complete an actual jigsaw without having to use stereoscopic microscopes or use tweezers.

      I would think it more likely that they would somehow scan the pieces in and have a computer algorithmically complete the puzzle. See here: http://www.brighthub.com/computing/enterprise-security/articles/882.aspx

      The funny thing from the latter piece is that the most common form of document reconstruction is for the 1/4 inch strip shredded documents - the cheapest possible method of shredding. Why am I not surprised.

      --
      If I have seen further it is by stealing the Intellectual Property of giants.
  9. Re:Sounds like resistance is easy. by phantomfive · · Score: 2, Informative

    You do realize that the existence of a rootkit for a system in no way implies a vulnerability for a system, right? A rootkit isn't something that 'grants you root', it's a tool to help you hide your tracks once you are already root. Wikipedia has a good page about it.

    That said, the easiest way to get your linux box rooted (do you see the difference between getting your box rooted and a rootkit?) is to use a weak ssh password. I don't know how common privilege escalation vulnerabilities are, but I've seen them work in the past.

    --
    Qxe4
  10. Useless filter. by FooAtWFU · · Score: 3, Informative

    And get 0wned by a zombie in Switzerland or Dubai or Schenectady or something.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  11. Brace for impact. by dweller_below · · Score: 2, Informative

    I imagine most of us are saying: "Not a problem. I don't have anything China wants."

    I wish. This is what hacking looks like now. If you haven't noticed, you haven't been paying attention.

    We asked ourself, which 10 computers would cause us the greatest loss if they were compromised. When we took a hard look at their network traffic, we found an otherwise indetectable compromise. It appears to have been in place for at least 3 months. Just patiently listening and waiting.

    You may want to try the same exercise.

    Organized crime has demonstrated (http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html) that patient, disciplined attacks yeild great monetary rewards.

    The Chinese have demonstrated that patient, disciplined attacks are virtually unstoppable.

    What more could any hacker want?

    The most fragile secret is a successful economic model. Once it gets out, EVERYBODY copies it.

    Learn how to defend yourself if you want to survive.

    Miles

  12. Re:Number 5? by CalTrumpet · · Score: 5, Informative

    There are several methods of escalating to domain admin once you have Local Administrator access on a member workstation. It is our experience that most large Enterprise AD networks are vulnerable to at least one of these issues:

    1. Crack a common local user with a shared password, like "MACHINENAME\ITAdmin". Alternatively, you can use an NTLM hash as a password equivalent with custom tools, like my colleague Jesse Burns demonstrated in 2005.

    2. Crack the cached hash of a domain admin from the SECURITY hive. This hash is created by an interactive login to the machine, i.e. via the local keyboard or RDP. These hashes are not stored after remote RPC, SMB, etc...

    3. Install a keystroke logger and wait for an interactive login by an Administrator. A good technique is to open an IT ticket as the victim, which often triggers an admin to remotely access the machine via RDP.

    4. Wait for an automated process to touch the box with domain admin credentials. Common tools that do this are patch management systems, vulnerability scanners, software licensing compliance tools and event log aggregation systems. When the handshake for the network service begins (say over DCE RPC), the attacker rejects the Kerberos ticket and requests a downgrade to LanMan or NTLMv1. Either one of those protocols will allow an attacker to use a pre-computed time-memory trade-off to quickly recover the password (aka Rainbow Tables).

    5. Wait for an automated "touch" and perform a pass-the-hash attack. This is possible on services that do not enforce at least "Packet Integrity" security. The admin and the victim machine legitimately exchange credentials, but the resulting authenticated connection can now be modified by the attacker. Again, see Burns 2005.

  13. Oh yea! by Sepiraph · · Score: 2, Informative

    Absolutely the same story in India. Sometimes I wonder if _any_ place outside of the US really gets it. Anecdotally, even Europe seems similarly third world-ish. This is also the reason I think predictions of the US being eclipsed anytime this century are hogwash.

    Yea US gets it ... that's where it is at, 14 trillion dollars in debt, quantitative easing (aka printing money) to the rescue!

  14. Re:Sounds like resistance is easy. by colourmyeyes · · Score: 3, Informative

    I'm guessing you're a troll, but I do this. Well not exactly, you don't need to convert anything.

    Open a youtube video, let it buffer, go into /tmp and there's the file. Just do "mplayer file" and watch it. I do this because the flash player crashed a lot (x86_64 Linux) and mplayer is smoother.

    --
    My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
  15. Re:Asymmetric Warfare by advocate_one · · Score: 2, Informative

    Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault,

    and what's really depressing is our own corporations are falling over backwards (outsourcing production, relocating, sourcing goods from China) to help them all in the name of short term profit to make the next quarter's numbers look good. There is no level playing field. The Chinese are deliberately polluting their country and ruining their workers health in order to make their labour and processes so cheap that we can't compete.

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  16. Re:Sounds like resistance is easy. by zman58 · · Score: 2, Informative

    "The correct answer for security is, regardless of the system you use, assume it is vulnerable." That may be true, but you need to take a step back and try to understand the risks associated with specific systems. Some systems are far more vulnerable than others. Maybe Windows is best suited for some specific tasks, but it is obviously not best suited for Network or Internet use. So go ahead and run your Windows system for a specific CAD or Game application, but avoid the high risk, network based activities on those systems--keep them mostly disconnected and never NEVER fire up IE. Currently, Linux is a far better choice for security. You can say what you want about doomsday future of Linux (if we all used it), but for now and the foreseeable future it is a no-brainier choice for Internet and network use over Windows. Every Windows system I have ever known eventually succumbed to some sort of malware or virus, even though security software was used extensively. The sheer cost and risks of maintaining a Windows environment in this space is unsurmountable--as many have found out the hard way through loss of business, data, money, etc. So to reduce risk, practice good security policy always and choose your systems carefully for what they are best at doing. In many many cases, Linux IS a great way to go and you can get there spending far less while reducing risk along the way. Can I help it if it just works better and does so at far less cost?