Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aurora Attack — Resistance Is Futile, Pretty Much

Posted by kdawson on from the big-leagues dept.

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

3 of 268 comments (clear)

  1. Re:oh for the love of ____! by VendettaMF · · Score: 5, Interesting

    Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

    The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.

    That's on top of all the internal monitoring of course.

    --
    kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
  2. Asymmetric Warfare by sp3d2orbit · · Score: 4, Interesting

    I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.

    One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?

  3. TCp is not the answer to this. by leuk_he · · Score: 4, Interesting

    There are still the same vector of attack possible. e.g. if someone signs adobe an old PDF reader.exe as trusted, TCP is vulnerable immediately.

    There really is no simple answer to this. The fact that everything is networked nowadays is not helping.

    But all vector of attack can be made as hard as possible.

    1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
    Anwer -Train users.
      2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
    Answer: minimize number of plugin, up to date browser, Put internet acces in a virualized separate part of the network
    3. The malware calls out to a control server, likely identified by a dynamic DNS address.
    Anser: kill those control servers!
    4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
    Answer: Should not be possible. A users should not get admin right.
    5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
    Answer: no answer possble, see 4.
    6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
    Answer: Check the VPN access logs AND Use second channel authorisation(token)
    7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'
    Answer: Don't put all the eggs in one basket. A user should only be able to acces what he needs, not everything.