Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and a zero day exploit hole in Internet Explorer, according to new details released by the anti-virus firm McAfee.
The attack, which has been described as ”highly sophisticated,” used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks to extract data while obscuring their activity, according to Dmitri Alperovitch, vice president of threat research for McAfee.
Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other.
“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking.
The hack attacks have been dubbed “Operation Aurora” by McAfee due to references in the malware to the name of a file folder named “Aurora”
Google announced Tuesday, January 12, 2010, that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.
Security firm iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies including Adobe, Symantec, Yahoo and Dow Chemical. The hackers sent e-mail to targets that carried malicious PDF attachments.
Alperovitch said that none of the companies he examined were breached with a malicious PDF, but he said there were likely many methods used to attack the various companies, not just the IE vulnerability.
POSTED BY POOJA PRASAD ON JANUARY 12, 2010 3:16 PM
Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. At this time, we have no evidence to indicate that any sensitive information–including customer, financial, employee or any other sensitive data–has been compromised. We anticipate the full investigation will take quite some time to complete. We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers and our partners.
[Update: iDefense ~ “Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities,” the company said. “There are currently no confirmed instances of a vulnerability in Adobe technologies being used in these attacks,” the company said, adding that it is continuing to investigate the attacks.]
Most interestingly, and seemingly slipping under the wire, I stumbled across a posting by Bruce Schneier, a security technologist, who wrote on his blog that this attack might have in fact been made easier due to U.S. government requirements for mandatory access to user data.
Google says hackers from China got into its Gmail system:
Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn’t that Chinese hackers engage in these activities or that their attempts are technically sophisticated — we knew that already — it’s that the U.S. government inadvertently aided the hackers.
Hackers exploited feature put into system at behest of U.S. government:
In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.
Google’s system isn’t unique. Democratic governments around the world — in Sweden, Canada and the UK, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.
Many are also passing data retention laws, forcing companies to retain information on their customers. In the U.S., the 1994 Communications Assistance for Law Enforcement Act required phone companies to facilitate FBI eavesdropping, and since 2001, the National Security Agency has built substantial eavesdropping systems with the help of those phone companies.
When governments get access to private communications, they invite abuse:
Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic. The FBI illegally wiretapped the phones of Americans, often falsely invoking terrorism emergencies, 3,500 times between 2002 and 2006 without a warrant. Internet surveillance and control will be no different.
Official misuses are bad enough, but it’s the unofficial uses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don’t.
Government surveillance and control of Internet is flourishing:
These risks are not merely theoretical. After September 11, the NSA built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the U.S. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn’t match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and notables such as President Clinton.
But that’s not the most serious misuse of a telecommunications surveillance infrastructure. In Greece, between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government: the prime minister and the ministers of defense, foreign affairs and justice.
Ericsson built this wiretapping capability into Vodafone’s products and enabled it only for governments that requested it. Greece wasn’t one of those governments, but someone still unknown — A rival political party? Organized crime? Foreign intelligence? — figured out how to surreptitiously turn the feature on.
Note: Bruce Schneier is a security technologist and author of “Beyond Fear: Thinking Sensibly About Security in an Uncertain World.” Read more of his writing at www.schneier.com.