Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aurora Attack — Resistance Is Futile, Pretty Much

Posted by kdawson on from the big-leagues dept.

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

35 of 268 comments (clear)

  1. Who clicked on the PDF? by symbolset · · Score: 5, Insightful

    Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

    --
    Help stamp out iliturcy.
    1. Re:Who clicked on the PDF? by biryokumaru · · Score: 5, Informative

      Major attack preventer: Google docs PDF reader.

      --
      When you're afraid to download music illegally in your own home, then the terrorists have won!
    2. Re:Who clicked on the PDF? by PsychoSlashDot · · Score: 5, Insightful

      Absolutely. It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems. Non-essential services were disabled by default for instance.

      Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time, and potentially a slew of other plug-ins. Everything from WinZip to the Google Toolbar has a service running in the background to update it periodically, and there's a push for unrelated shit to be bundled with what we try to install. Download managers are becoming increasingly the norm, with Adobe burying their direct link to Reader and Flash one link further from the "Click Here to Download" link the same week they patched an exploit in it.

      We need to re-think how we compute. Less is more. Pick a standard such as HTML5 and stick to it. No plugins. (Beyond page-agnostic browser functionality add-ons like Ad-Block Plus.) No background services, no download managers, no web-extending formats. If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it. JPG, PNG, and a handful of standardized other formats can be direct linked-to.

      That's not the panacea... it won't solve it all. But going the way we're going is the wrong direction. Let's try less crap on our machines that might be vulnerable.

      --
      "Oh no... he found the .sig setting."
  2. Sounds like resistance is easy. by Kludge · · Score: 3, Insightful

    Just don't use MS Windows.

    1. Re:Sounds like resistance is easy. by Wingman+5 · · Score: 5, Insightful

      Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

      Hey, I wonder where the term "rootkit" originated?

    2. Re:Sounds like resistance is easy. by sopssa · · Score: 4, Insightful

      This is especially true because these are highly targeted attacks. Unlike other malware, these don't go where the majority of users are - they go against what the target company is using and have a reason to spend the extra time on it.

    3. Re:Sounds like resistance is easy. by bersl2 · · Score: 3, Insightful

      Don't think of it as obscurity. Think of it more as diversity.

    4. Re:Sounds like resistance is easy. by Sycraft-fu · · Score: 4, Insightful

      Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

      The correct answer for security is, regardless of the system you use, assume it is vulnerable. Assume you can be attacked (because you can). Then take steps to remediate it. Have defense in depth, have layers of security so if one fails others still exist. Keep your security up to date and able to deal with current threats. Do this, and it doesn't really matter what OS you run, you are as safe as you can be.

      You have to look at it like with physical security, where there is no such thing as perfect security. There is no system that cannot be broken or bypassed in some way. All you can do is make it good enough to ward off any threats for long enough to detect and stop the threats. There is not a single step you can take to keep thing safe, including moving your location.

      That is sort of what is being talked about here. It would be like moving from the city out to a sparse area. Ok, that probably will reduce attacks however if that's your solution for security, you've done nothing. You are just hoping you don't get attacked, you haven't done anything to actually deal with the attacks. Same deal with switching OSes. Just saying "Oh well use Linux," doesn't really help. Sure there are less attacks over all for it, but that doesn't mean anything. If you still implement bad security practices (like having users run as root and having weak passwords) then you've done nothing for real security. You are just hoping that by being less visible you won't get attacked, you've no ability to actually deal with an attack.

      So choose your OS based on which one works the best for what you do. Then take steps to properly secure it, because the proactive security measures are what really keep you safe, not the OS. It is perfectly possible to have an extremely secure Windows network, and an extremely insecure Linux network.

    5. Re:Sounds like resistance is easy. by colourmyeyes · · Score: 3, Informative

      I'm guessing you're a troll, but I do this. Well not exactly, you don't need to convert anything.

      Open a youtube video, let it buffer, go into /tmp and there's the file. Just do "mplayer file" and watch it. I do this because the flash player crashed a lot (x86_64 Linux) and mplayer is smoother.

      --
      My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
    6. Re:Sounds like resistance is easy. by Richard_at_work · · Score: 3, Interesting

      We did this in our business - created a vb app which popped up a dialog box saying 'You just breached the network terms of use.' and logged the currently logged in username and IP address to a database.

      We then emailed that to everyone in the company, from an outside address (and specifically allowed it in the email filters to simulate a worst case scenario), and sat back and watched who clicked and who didn't. It was quite enlightening.

    7. Re:Sounds like resistance is easy. by iserlohn · · Score: 3, Insightful

      It's perfectly possible to walk on the moon as well. Now about the amount of effort to get there.....

      --
      :. Ultimate Control Dedicated/VM Servers
  3. oh for the love of ____! by girlintraining · · Score: 3, Interesting

    Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:

    The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.

    They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).

    This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:oh for the love of ____! by VendettaMF · · Score: 5, Interesting

      Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

      The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.

      That's on top of all the internal monitoring of course.

      --
      kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
    2. Re:oh for the love of ____! by Anonymous Coward · · Score: 5, Funny

      Meanwhile I _am_ Chinese, currently in China, and I can tell you your information is lacking in a few areas.

      The Chinese Government is your friend and only wants the best for you.

  4. Even better, don't hire humans by xzvf · · Score: 5, Funny

    Humans are the biggest weakness in the chain. Don't hire them, or at least hire the most non-people types you can. Hire the non-team players and the ones that argue with everyone. When someone calls them and asks them to go to a web site, they'll say screw you and hang up.

  5. So for this attack to work. by Anonymous Coward · · Score: 3, Insightful

    1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
    2. Running a vulnerable browser - Still quite common, First security failure
    3. Running windows - Still very plausible
    4. Vulnerable to a privilege escalation exploit - Second security failure
    5. With a network setup that is vulnerable to this kind of thing - Third security failure
    5. Then "accessing" an AD server database - Fourth security failure
    6. To be cracked - ok

    So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.

    IMHO that is a hell of a lot of failures by the various parties for this to work.

    1. Re:So for this attack to work. by Shikaku · · Score: 4, Insightful

      Your boss at work:

      "Why can't I install programs on my own machine, I'm the boss for god's sake!"

      He's admin of his own machine now on his corporate internet. Hilarity ensues.

    2. Re:So for this attack to work. by jon3k · · Score: 3, Insightful

      Boss's browser is configured to use Websense proxy (running on Linux actually, Websense Security Gateway). All traffic blocked at firewall, only Websense allowed out and only via destination port 80 and port 443 (and other specific allows for certains servers/apps to specific destination networks). Uncategorized sites are blocked in Websense. Cisco Botnet filtering installed on ASA's at the edge. Sourcefire IDS monitoring. Ironport e-mail gateways filtering spam. Trend anti-virus running on everything running Windows.

      And most importantly - constant user training, re-training and reminders.

      I'm sure I missed a few other security components I take for granted but that should be enough to cover it. I work for a medium sized health care company, nothing fancy.

  6. Number 5? by DigiShaman · · Score: 3, Interesting

    5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

    HOW!!!?? Unless some boneheaded sysadmin granted a user with Domain Admin access, I don't see how this is even remotely possible. Someone with just plain Domain User access either authenticates, or doesn't. Is this article suggesting all local user names and passwords from a DC (domain controller) are locally cached prior to authentication?

    --
    Life is not for the lazy.
    1. Re:Number 5? by DigiShaman · · Score: 4, Informative

      Sorry for the follow up post, but I think I now understand in a round about way. You have to be a member of the Domain Admins group to join a PC to the Domain. It's those Domain Admin credentials that get cached - per PC that's been previously joined. YIKES! So if a user is a member of the local Administrators group, he also has access to the local SAMS database. Root the box, and you might be able to recover the cached passwords from it.

      Be sure to change your Domain Admins password often. Honestly, how many people often do that? More than they should really.

      --
      Life is not for the lazy.
    2. Re:Number 5? by dweller_below · · Score: 4, Insightful

      .. Root the box, and you might be able to recover the cached passwords from it.

      Almost. The iSec paper mentioned, but didn't explain 'Pass The Hash' attacks. See the excellent SANS paper at: http://www.sans.org/reading_room/last.php

      Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.

      Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.

      Miles

    3. Re:Number 5? by CalTrumpet · · Score: 5, Informative

      There are several methods of escalating to domain admin once you have Local Administrator access on a member workstation. It is our experience that most large Enterprise AD networks are vulnerable to at least one of these issues:

      1. Crack a common local user with a shared password, like "MACHINENAME\ITAdmin". Alternatively, you can use an NTLM hash as a password equivalent with custom tools, like my colleague Jesse Burns demonstrated in 2005.

      2. Crack the cached hash of a domain admin from the SECURITY hive. This hash is created by an interactive login to the machine, i.e. via the local keyboard or RDP. These hashes are not stored after remote RPC, SMB, etc...

      3. Install a keystroke logger and wait for an interactive login by an Administrator. A good technique is to open an IT ticket as the victim, which often triggers an admin to remotely access the machine via RDP.

      4. Wait for an automated process to touch the box with domain admin credentials. Common tools that do this are patch management systems, vulnerability scanners, software licensing compliance tools and event log aggregation systems. When the handshake for the network service begins (say over DCE RPC), the attacker rejects the Kerberos ticket and requests a downgrade to LanMan or NTLMv1. Either one of those protocols will allow an attacker to use a pre-computed time-memory trade-off to quickly recover the password (aka Rainbow Tables).

      5. Wait for an automated "touch" and perform a pass-the-hash attack. This is possible on services that do not enforce at least "Packet Integrity" security. The admin and the victim machine legitimately exchange credentials, but the resulting authenticated connection can now be modified by the attacker. Again, see Burns 2005.

  7. Re:google has a corporate windows network? by VendettaMF · · Score: 3, Interesting

    Because, by law, to have an office in China you must have Chinese employees in high-ranking positions.

    If your company is of interest then you can be guaranteed of having at least two plants in the office. One to be the obvious pro-party red-book waving decoy, and the other to save them the time and effort of having to phish someone to start the attack.

    --
    kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
  8. Packet Filter by nuckfuts · · Score: 4, Informative

    If you don't expect/want traffic from China, configure your firewall to block IP addresses assigned to China.

    1. Re:Packet Filter by nacturation · · Score: 3, Informative

      Or, more succinctly: http://www.blockacountry.com/

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  9. Re:How do we know THAT isn't compromised? by Anonymous Coward · · Score: 4, Funny

    in china, trojans are small. Because they have small dicks.

  10. Asymmetric Warfare by sp3d2orbit · · Score: 4, Interesting

    I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.

    One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?

  11. Unrestricted Warfare by Anonymous Coward · · Score: 4, Informative

    That paper was this one hosted on Cryptome: Unrestricted Warfare
    by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999)
    It is translated by the FBIS, the CIA's Foreign Broadcast Information Service, which collects and translates reports from around the globe.

  12. Woo! Monoculture! by copponex · · Score: 3, Interesting

    I'm sure that doesn't carry any risks!

    But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.

    Damn I wish I had a billion bucks.

  13. Chinese Patience by IonOtter · · Score: 3, Informative

    When I was in the military, we used to shred our secret documents to NSA specs, which is 0.8mm x 4mm. That's about the same width as the "i" in the subject, and about twice as long.

    In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill, so everything would be reduced to powder.

    They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.

    Those people had stereo microscopes in their homes and apartments, and were reassembling the documents and crypto tapes, one tiny piece at a time.

    The Chinese have existed as a nation for longer than any other civilization on the face of this planet, and they take the "long view" in such things.

    --
    [End Of Line]
    1. Re:Chinese Patience by VendettaMF · · Score: 5, Informative

      > The Chinese have existed as a nation for longer than any other civilization on the face of this planet,
      > and they take the "long view" in such things.

      Thankfully both of these are incorrect to a lesser and greater degree respectively.

      There may have been people living in the areas of land now referred to as China, but any links between historical cultures and thought and the modern morass are purely fictional.

      And as anyone who has done business in/with China can tell you one of the biggest problems inherent to the nation is a complete inability to plan ahead or consider delayed benefits. None of the Chinese businesses I've worked in, nor the government bureaucracy I've suffered through, have ever included any possibility of passing up 10 bucks in their pocket right now in exchange for a thousand tomorrow.

      We're dealing with a cultural mindset that would unhesitatingly slaughter the goose that laid the golden eggs, not in hopes of finding lots of eggs inside (that assumption requires some logical thought and deductive reasoning), but simply to take its feed and head for picking.

      There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

      The unstable legal system is partly at fault here. There is just no way in this culture to be sure that your products won't be outlawed/super-taxed next week. Money under the mattress is the only surety.

      --
      kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
    2. Re:Chinese Patience by phantomfive · · Score: 3, Insightful

      There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

      Don't know about China, but I read about one guy in a similar situation in Belgrade, where at the time they sold gasoline for cars in open buckets on the side of the road. Some of the gas was high quality, and others was cheap and could ruin your car. This guy built a relationship with a 'supplier' (who was named Stevo, from Zemun), and paid him extra to make sure he always got him the high quality stuff.

      Same thing in China, if you are willing to establish a good relationship with some suppliers, and make sure they get paid extra for their effort. If you aren't willing to pay extra, if you are stingy and try to wring the last cent out of your supplier, well, you get what you pay for.

      --
      Qxe4
    3. Re:Chinese Patience by In+hydraulis · · Score: 3, Insightful

      What makes you think the US is any different? We're talking about a nation that has offshored most of its manufactoring industry for the promise of a few cheap, possibly-functional trinkets.

      If the Chinese cultural mindset "believes they can get away with [supplying a single] shipment of non-functional crap" it is because this approach is working for them. I wonder who their customers are.

  14. Useless filter. by FooAtWFU · · Score: 3, Informative

    And get 0wned by a zombie in Switzerland or Dubai or Schenectady or something.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  15. TCp is not the answer to this. by leuk_he · · Score: 4, Interesting

    There are still the same vector of attack possible. e.g. if someone signs adobe an old PDF reader.exe as trusted, TCP is vulnerable immediately.

    There really is no simple answer to this. The fact that everything is networked nowadays is not helping.

    But all vector of attack can be made as hard as possible.

    1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
    Anwer -Train users.
      2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
    Answer: minimize number of plugin, up to date browser, Put internet acces in a virualized separate part of the network
    3. The malware calls out to a control server, likely identified by a dynamic DNS address.
    Anser: kill those control servers!
    4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
    Answer: Should not be possible. A users should not get admin right.
    5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
    Answer: no answer possble, see 4.
    6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
    Answer: Check the VPN access logs AND Use second channel authorisation(token)
    7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'
    Answer: Don't put all the eggs in one basket. A user should only be able to acces what he needs, not everything.