Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aurora Attack — Resistance Is Futile, Pretty Much

Posted by kdawson on from the big-leagues dept.

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

29 of 268 comments (clear)

  1. Who clicked on the PDF? by symbolset · · Score: 5, Insightful

    Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

    --
    Help stamp out iliturcy.
    1. Re:Who clicked on the PDF? by PsychoSlashDot · · Score: 5, Insightful

      Absolutely. It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems. Non-essential services were disabled by default for instance.

      Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time, and potentially a slew of other plug-ins. Everything from WinZip to the Google Toolbar has a service running in the background to update it periodically, and there's a push for unrelated shit to be bundled with what we try to install. Download managers are becoming increasingly the norm, with Adobe burying their direct link to Reader and Flash one link further from the "Click Here to Download" link the same week they patched an exploit in it.

      We need to re-think how we compute. Less is more. Pick a standard such as HTML5 and stick to it. No plugins. (Beyond page-agnostic browser functionality add-ons like Ad-Block Plus.) No background services, no download managers, no web-extending formats. If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it. JPG, PNG, and a handful of standardized other formats can be direct linked-to.

      That's not the panacea... it won't solve it all. But going the way we're going is the wrong direction. Let's try less crap on our machines that might be vulnerable.

      --
      "Oh no... he found the .sig setting."
  2. Sounds like resistance is easy. by Kludge · · Score: 3, Insightful

    Just don't use MS Windows.

    1. Re:Sounds like resistance is easy. by Wingman+5 · · Score: 5, Insightful

      Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

      Hey, I wonder where the term "rootkit" originated?

    2. Re:Sounds like resistance is easy. by sopssa · · Score: 4, Insightful

      This is especially true because these are highly targeted attacks. Unlike other malware, these don't go where the majority of users are - they go against what the target company is using and have a reason to spend the extra time on it.

    3. Re:Sounds like resistance is easy. by MichaelSmith · · Score: 2, Insightful

      the best practices corporate IT departments have been following for years are ineffective against the attacks

      Well obviously. Antivirus protects against old, common vectors. But if a company ran (say) ubuntu or (more likely) macos an attacker could still craft an attack against them, as long as they had information on the systems being used.

      --
      http://michaelsmith.id.au
    4. Re:Sounds like resistance is easy. by bersl2 · · Score: 3, Insightful

      Don't think of it as obscurity. Think of it more as diversity.

    5. Re:Sounds like resistance is easy. by Wingman+5 · · Score: 2, Insightful

      Go ahead - root me. What are you waiting for? You want the details of my operating system? HA! I'm not that easy to social engineer!

      Thats why I don't root you, I root your receptionist to get the proverbial foot in the door. "Hi this is John from IT, we found a virus on your workstation I just emailed you the program to remove it, just open it and it will solve the issue"

    6. Re:Sounds like resistance is easy. by Sycraft-fu · · Score: 4, Insightful

      Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

      The correct answer for security is, regardless of the system you use, assume it is vulnerable. Assume you can be attacked (because you can). Then take steps to remediate it. Have defense in depth, have layers of security so if one fails others still exist. Keep your security up to date and able to deal with current threats. Do this, and it doesn't really matter what OS you run, you are as safe as you can be.

      You have to look at it like with physical security, where there is no such thing as perfect security. There is no system that cannot be broken or bypassed in some way. All you can do is make it good enough to ward off any threats for long enough to detect and stop the threats. There is not a single step you can take to keep thing safe, including moving your location.

      That is sort of what is being talked about here. It would be like moving from the city out to a sparse area. Ok, that probably will reduce attacks however if that's your solution for security, you've done nothing. You are just hoping you don't get attacked, you haven't done anything to actually deal with the attacks. Same deal with switching OSes. Just saying "Oh well use Linux," doesn't really help. Sure there are less attacks over all for it, but that doesn't mean anything. If you still implement bad security practices (like having users run as root and having weak passwords) then you've done nothing for real security. You are just hoping that by being less visible you won't get attacked, you've no ability to actually deal with an attack.

      So choose your OS based on which one works the best for what you do. Then take steps to properly secure it, because the proactive security measures are what really keep you safe, not the OS. It is perfectly possible to have an extremely secure Windows network, and an extremely insecure Linux network.

    7. Re:Sounds like resistance is easy. by Nazlfrag · · Score: 2, Insightful

      Well it's neither. If your intent is to stop a specific attack with this modus operandi then not running Active Directory or Windows would be a sensible thing to do. Not that that negates all attacks, but it would negate the specific one outlined in TFS.

    8. Re:Sounds like resistance is easy. by iserlohn · · Score: 3, Insightful

      It's perfectly possible to walk on the moon as well. Now about the amount of effort to get there.....

      --
      :. Ultimate Control Dedicated/VM Servers
  3. Re:Even better, don't hire humans by Anonymous Coward · · Score: 2, Insightful

    Humans are the biggest weakness in the chain. Don't hire them

    This.

  4. Antivirus? by TubeSteak · · Score: 2, Insightful

    "Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies," [iSec founding partner Alex Stamos] told The Register. "The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. ...

    Since when has anti-virus heuristics algorithms been at all useful against custom malware?

    Even the script kiddies can find encrypters to take their cookie cutter programs and make them invisible to the majority of anti-virus programs.

    --
    [Fuck Beta]
    o0t!
  5. Resistence is VERY easy by Anonymous Coward · · Score: 2, Insightful

    QUIT RUNNING WINDOWS. Look, if anybody runs windows on more than their client box (and many would argue even that is stupid), then you deserve what you get. The same set of idiots will design tanks and subs with picture windows.

  6. So for this attack to work. by Anonymous Coward · · Score: 3, Insightful

    1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
    2. Running a vulnerable browser - Still quite common, First security failure
    3. Running windows - Still very plausible
    4. Vulnerable to a privilege escalation exploit - Second security failure
    5. With a network setup that is vulnerable to this kind of thing - Third security failure
    5. Then "accessing" an AD server database - Fourth security failure
    6. To be cracked - ok

    So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.

    IMHO that is a hell of a lot of failures by the various parties for this to work.

    1. Re:So for this attack to work. by Shikaku · · Score: 4, Insightful

      Your boss at work:

      "Why can't I install programs on my own machine, I'm the boss for god's sake!"

      He's admin of his own machine now on his corporate internet. Hilarity ensues.

    2. Re:So for this attack to work. by esocid · · Score: 2, Insightful

      Have you not ever worked in an office setting? Walk by your sysadmin's dungeon and mention something about clicking a link in some email you got, and sit back and watch the fireworks.

      I can pretty much guarantee you that even in a tech setting, there will even be a handful of those people who still lack common, and/or tech, sense. This is exactly why certain places prevent their employees from installing software, running as admin, running off of flashdrives, or even discs.

      --
      Absolute power corrupts absolutely. indymedia
    3. Re:So for this attack to work. by jon3k · · Score: 3, Insightful

      Boss's browser is configured to use Websense proxy (running on Linux actually, Websense Security Gateway). All traffic blocked at firewall, only Websense allowed out and only via destination port 80 and port 443 (and other specific allows for certains servers/apps to specific destination networks). Uncategorized sites are blocked in Websense. Cisco Botnet filtering installed on ASA's at the edge. Sourcefire IDS monitoring. Ironport e-mail gateways filtering spam. Trend anti-virus running on everything running Windows.

      And most importantly - constant user training, re-training and reminders.

      I'm sure I missed a few other security components I take for granted but that should be enough to cover it. I work for a medium sized health care company, nothing fancy.

  7. How do we know THAT isn't compromised? by Anonymous Coward · · Score: 1, Insightful

    For all we know, the Chinese agent who hacked google.cn may have uploaded a trojan pdf reader extension.

  8. Oldschool by Anonymous Coward · · Score: 2, Insightful

    This type of social engineering attack has been around for atleast 2 decades now. there are manny books about it, including mitnicks.
    Windows exploits, spicificley owning a windows AD network via local privelege escalation, sniffing, buffer under/overflows and dumping hashes from the domain controller has been around for atleast 1 decade, the kind of thing I pulled off in highschool.
    All they did here is put together very old puzzle peices with a little bit of stratigy.

    when will pepole learn to stop using windows? when will people learn to start instituting strict mail policies on corprate networks?

    Probably never.

    This is not about technical security, this is about exploiting the victums way of thinking.
    make money first, keep staff happy second. building a well oilded, tightley maintained business machine does not even come into consideration.

  9. Re:Number 5? by DigiShaman · · Score: 2, Insightful

    I follow steps 1 - 4. Regarding step 5 however...

    Log into that box.

    That user must be either a member of the Domain Admins group, or Local Administrators group of that PC. The later seems possible as there are many users that love to RDP into their own boxes from work over a VPN connection. Even then, only one user is allowed access unless it is a Terminal Server.

    As for the NT security token. I know that when a user (regardless of membership) logs into a machine, the security credentials get cached. But from what I understand, you can't recover passwords from the local SAMS database unless the box is already rooted.

    --
    Life is not for the lazy.
  10. Re:oh for the love of ____! by Runaway1956 · · Score: 2, Insightful

    Have you been keeping up with current events? The news on ACTA, for starters. Those school kids being spied on in Philadelphia via school mandated computers. Traffic light cameras. There is little doubt in my mind that the US is moving toward the same sort of round the clock surveillance that England and China enjoy right now. Law enforcement is pushing through a variety of rules, regulations, and even laws, permitting them to track citizens via mobile phone and other means, WITHOUT a warrant.

    I definitely see an Orwellian future for the United States. Unless, of course, the citizens revolt against it. Unfortunately, the very citizens are subsidizing all of this surveillance. How many people do you know who have PAID FOR that GPS tracking that General Motors offers? Yes, PAID FOR some nice un-intrusive surveillance. Soon, the insurance companies will mandate that all vehicles have such surveillance, and we'll just roll over, and accept the edict.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  11. Oh brother.. by jav1231 · · Score: 2, Insightful

    "We went to do business in a communist nation and they attacked our network, attempting to gain access and who knows what!?" As my teenaged daughter used to say, "Uh..Hello! Yeah!?" Which loosely translates to: And you're surprised?

  12. Re:oh for the love of ____! by vajorie · · Score: 2, Insightful

    Okay, I know an ex-pat who has moved to China and married. I have a much better understanding

    Hey, nice to hear. I have this Black friend so I know Blacks. /yay

  13. Re:SMBs and Cloud Computing by sumdumass · · Score: 1, Insightful

    I hope you weren't counting on a Funny mod because Google was a victim of this attack. IF you were, then I'm sorry that I walked around it. I do not think cloud computing would be the solution to something like this.

    You see, they infiltrated the regular network before infiltrating the servers. Even cloud computing services wouldn't be looking for attacks from inside as it would appear once the workstations were compromised. They basically tricked users into giving them access or visiting a site that took advantage of an exploit to get access on the workstations. From there, it was almost like sitting in the offices that were supposed to be accessing the servers. This would work with or without cloud computing.

  14. Re:Number 5? by dweller_below · · Score: 4, Insightful

    .. Root the box, and you might be able to recover the cached passwords from it.

    Almost. The iSec paper mentioned, but didn't explain 'Pass The Hash' attacks. See the excellent SANS paper at: http://www.sans.org/reading_room/last.php

    Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.

    Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.

    Miles

  15. Google, Linux, and virtual machines by r00t · · Score: 2, Insightful

    If you preview it using as suggested the google reader aren't you still loading that into memory?

    You're loading it into Google's memory. Google is using a non-Adobe program to generate HTML.

    In theory the attacker could have a Google-specific 0-day exploit that pwns Google's server (probably custom unreleased software on Linux, so VERY hard) and then ships you some evil HTML. This is damn unlikely.

    I'd also be curious to know the effectiveness of these pdf attacks on linux hosts.

    Linux is a bit harder to attack, especially if 64-bit. It's possible to make Linux **MUCH** harder to attack, but we haven't bothered yet.

    Although not feasible for the work environment (or is it?) there are probably many users out there who now surf through virtual machines.

    I think you have that backwards, but this is rare in either case. In the business environment it's possible to get site licenses, firewalls to block non-VM browsing, and even competant IT support. Note: "possible". It's very uncommon, but possible.

  16. Re:Chinese Patience by phantomfive · · Score: 3, Insightful

    There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

    Don't know about China, but I read about one guy in a similar situation in Belgrade, where at the time they sold gasoline for cars in open buckets on the side of the road. Some of the gas was high quality, and others was cheap and could ruin your car. This guy built a relationship with a 'supplier' (who was named Stevo, from Zemun), and paid him extra to make sure he always got him the high quality stuff.

    Same thing in China, if you are willing to establish a good relationship with some suppliers, and make sure they get paid extra for their effort. If you aren't willing to pay extra, if you are stingy and try to wring the last cent out of your supplier, well, you get what you pay for.

    --
    Qxe4
  17. Re:Chinese Patience by In+hydraulis · · Score: 3, Insightful

    What makes you think the US is any different? We're talking about a nation that has offshored most of its manufactoring industry for the promise of a few cheap, possibly-functional trinkets.

    If the Chinese cultural mindset "believes they can get away with [supplying a single] shipment of non-functional crap" it is because this approach is working for them. I wonder who their customers are.