Aurora Attack — Resistance Is Futile, Pretty Much

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

oh for the love of ____!

[girlintraining]

Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:

The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.

They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).

This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.

Re:oh for the love of ____!

[VendettaMF]

Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.

That's on top of all the internal monitoring of course.

Number 5?

[DigiShaman]

5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

HOW!!!?? Unless some boneheaded sysadmin granted a user with Domain Admin access, I don't see how this is even remotely possible. Someone with just plain Domain User access either authenticates, or doesn't. Is this article suggesting all local user names and passwords from a DC (domain controller) are locally cached prior to authentication?

Re:google has a corporate windows network?

[VendettaMF]

Because, by law, to have an office in China you must have Chinese employees in high-ranking positions.

If your company is of interest then you can be guaranteed of having at least two plants in the office. One to be the obvious pro-party red-book waving decoy, and the other to save them the time and effort of having to phish someone to start the attack.

Asymmetric Warfare

[sp3d2orbit]

I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.

One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?

Woo! Monoculture!

[copponex]

I'm sure that doesn't carry any risks!

But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.

Damn I wish I had a billion bucks.

TCp is not the answer to this.

[leuk_he]

There are still the same vector of attack possible. e.g. if someone signs adobe an old PDF reader.exe as trusted, TCP is vulnerable immediately.

There really is no simple answer to this. The fact that everything is networked nowadays is not helping.

But all vector of attack can be made as hard as possible.

1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
Anwer -Train users.
  2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
Answer: minimize number of plugin, up to date browser, Put internet acces in a virualized separate part of the network
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
Anser: kill those control servers!
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
Answer: Should not be possible. A users should not get admin right.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
Answer: no answer possble, see 4.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
Answer: Check the VPN access logs AND Use second channel authorisation(token)
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'
Answer: Don't put all the eggs in one basket. A user should only be able to acces what he needs, not everything.

Re:Sounds like resistance is easy.

[Richard_at_work]

We did this in our business - created a vb app which popped up a dialog box saying 'You just breached the network terms of use.' and logged the currently logged in username and IP address to a database.

We then emailed that to everyone in the company, from an outside address (and specifically allowed it in the email filters to simulate a worst case scenario), and sat back and watched who clicked and who didn't. It was quite enlightening.