Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aurora Attack — Resistance Is Futile, Pretty Much

Posted by kdawson on from the big-leagues dept.

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

7 of 268 comments (clear)

  1. Who clicked on the PDF? by symbolset · · Score: 5, Insightful

    Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

    --
    Help stamp out iliturcy.
    1. Re:Who clicked on the PDF? by PsychoSlashDot · · Score: 5, Insightful

      Absolutely. It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems. Non-essential services were disabled by default for instance.

      Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time, and potentially a slew of other plug-ins. Everything from WinZip to the Google Toolbar has a service running in the background to update it periodically, and there's a push for unrelated shit to be bundled with what we try to install. Download managers are becoming increasingly the norm, with Adobe burying their direct link to Reader and Flash one link further from the "Click Here to Download" link the same week they patched an exploit in it.

      We need to re-think how we compute. Less is more. Pick a standard such as HTML5 and stick to it. No plugins. (Beyond page-agnostic browser functionality add-ons like Ad-Block Plus.) No background services, no download managers, no web-extending formats. If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it. JPG, PNG, and a handful of standardized other formats can be direct linked-to.

      That's not the panacea... it won't solve it all. But going the way we're going is the wrong direction. Let's try less crap on our machines that might be vulnerable.

      --
      "Oh no... he found the .sig setting."
  2. Re:Sounds like resistance is easy. by Wingman+5 · · Score: 5, Insightful

    Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

    Hey, I wonder where the term "rootkit" originated?

  3. Re:Sounds like resistance is easy. by sopssa · · Score: 4, Insightful

    This is especially true because these are highly targeted attacks. Unlike other malware, these don't go where the majority of users are - they go against what the target company is using and have a reason to spend the extra time on it.

  4. Re:So for this attack to work. by Shikaku · · Score: 4, Insightful

    Your boss at work:

    "Why can't I install programs on my own machine, I'm the boss for god's sake!"

    He's admin of his own machine now on his corporate internet. Hilarity ensues.

  5. Re:Number 5? by dweller_below · · Score: 4, Insightful

    .. Root the box, and you might be able to recover the cached passwords from it.

    Almost. The iSec paper mentioned, but didn't explain 'Pass The Hash' attacks. See the excellent SANS paper at: http://www.sans.org/reading_room/last.php

    Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.

    Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.

    Miles

  6. Re:Sounds like resistance is easy. by Sycraft-fu · · Score: 4, Insightful

    Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

    The correct answer for security is, regardless of the system you use, assume it is vulnerable. Assume you can be attacked (because you can). Then take steps to remediate it. Have defense in depth, have layers of security so if one fails others still exist. Keep your security up to date and able to deal with current threats. Do this, and it doesn't really matter what OS you run, you are as safe as you can be.

    You have to look at it like with physical security, where there is no such thing as perfect security. There is no system that cannot be broken or bypassed in some way. All you can do is make it good enough to ward off any threats for long enough to detect and stop the threats. There is not a single step you can take to keep thing safe, including moving your location.

    That is sort of what is being talked about here. It would be like moving from the city out to a sparse area. Ok, that probably will reduce attacks however if that's your solution for security, you've done nothing. You are just hoping you don't get attacked, you haven't done anything to actually deal with the attacks. Same deal with switching OSes. Just saying "Oh well use Linux," doesn't really help. Sure there are less attacks over all for it, but that doesn't mean anything. If you still implement bad security practices (like having users run as root and having weak passwords) then you've done nothing for real security. You are just hoping that by being less visible you won't get attacked, you've no ability to actually deal with an attack.

    So choose your OS based on which one works the best for what you do. Then take steps to properly secure it, because the proactive security measures are what really keep you safe, not the OS. It is perfectly possible to have an extremely secure Windows network, and an extremely insecure Linux network.