Nothing New In Aurora Hack
Attackers targeting victims through phishing e-mails that lure users to maliciously crafted Web sites is nothing new. But it does highlight the sophistication of the modern attacker.
January 16, 2010
Attackers targeting victims through phishing e-mails that lure users to maliciously crafted Web sites is nothing new. But it does highlight the sophistication of the modern attacker.We don't know many details about how Google was hacked, or all of the other companies that were involved, but we do know that the attackers used targeted phishing e-mails to trick users into clicking on a link that led them to a maliciously crafted Web site. That Web site then used an exploit to infect the victims' systems through a vulnerability in a web browser, in this case Internet Explorer.
This is a very old story. According to an Anti-Phishing Working Group report published in September, the number of phishing Web sites (which is essentially what a significant portion of this hack was) reached 49,084 in June of 2009. Everyday Internet users are targeted with phishing attacks to steal their identities, credit card and bank account information, customer lists, trade secrets - whatever may be of value.
What's interesting here is who the attackers are alleged to be, and the high-profile nature of the targeted companies. It's also noteworthy that a zero-day vulnerability was used, as opposed to a vulnerability that has already been disclosed - which is still way more common.
The fact that professional attackers have increasingly been turning to specialized, highly-targeted attacks designed has been happening for awhile, and that's certainly what appears to have happened in this wave of attacks. Way back in 2007 (many lifetimes in Internet years), the U.S.-China Economic and Security Review Commission (USSC) cited Chinese espionage as one of the top risks to the U.S. technology industry. There's a link to the report, and an overview of a wave of hacking known as "Titan Rain" that is eerily similar to this most recent episode in this post from 2008: China's Long List Of hacking Denials. It also quotes a Chinese official claiming China doesn't have the skills to conduct such attacks.
None of this should be of any surprise to anyone who has been paying attention.
We've known that such highly-targeted attacks occur, but they've mostly been discussed as targeting government agency networks. Now we see, clearly, that they're used for corporate espionage and that they are very effective.
The recent attacks also underscores the fact that security managers should forget about big scary and nebulous figures such as 25 million new malware variants hitting the Web in a single year. Instead, they should work on protecting the infrastructure with the necessary technology and employee security awareness training needed as if the organization was being targeted by a handful of highly skilled, educated, and motivated attackers. That's the threat landscape any business with intellectual property faces every single day.
From Dark Reading:
"Dmitri Alperovitch, vice president of threat research at McAfee, says the attack using the IE flaw was what allowed intruders to take over victims' machines and then access their company networks and resources. "All the user had to do was click on the link and the malware was automatically downloaded onto their machine, and it proceeded to update itself," Alperovitch says. "One of the modules was a remote-control capability that allowed them to take over the machine. From that point forward, they had access to the [victim's] network and could do reconnaissance and exfiltrate any data they encountered, and go after key resources.""
Sure, the attacks were discovered, but once the malicious payload is delivered and the attacker gained control of the target's system the damage is done within minutes and hours. Any additional time is gravy for the attacker.
The best - but certainly not perfect - defense is a layer of defenses. Make sure employees are properly trained to not open attachments or click on links in suspecting e-mails. In the event that training fails, make sure end point anti-malware and personal firewalls are running and operating systems and applications are patched. It's also a great idea to make sure you are filtering Web traffic through a URL and reputation filter.
And, for the next few days or weeks, closely monitor Microsoft Security Advisory (979352) for updates to the zero-day in Internet Explorer that made the remote attacks possible.
About the Author
You May Also Like