Google Blogoscoped

Forum

Analysis of Chinese Attacks

George R [PersonRank 10]

Tuesday, March 2, 2010
14 years ago2,083 views

The Resgister and slashdot have coverage of a report from iSec giving details of the Chinese attacks on Google and others.

The assault system is named "Aurora". The Register story says the report claims the targets were hand selected and attack methods were customized to each site. Dan Goodin is reporting in The Register on statements by Alex Stamos of iSec.

"Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies," he told The Register. "The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. The problem is to defend against that level of attacker – the game is completely different than what most companies are doing."

The report lists:

"Despite the diversity of victims in these attacks, we have seen a common pattern in the attacks, which generallyproceed like this:

1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.

2. This website uses a browser vulnerability to load custom malware on the initial victim’s machine.

3. The malware calls out to a control server, likely identified by a dynamic DNS address.

4. The attacker escalates his privilege on the corporate Windows network, using cached or local administratorcredentials.

5. The attacker attempts to access an Active Directory server to obtain the password database, which can becracked onsite or offsite.

6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.

7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to accessproduction systems, obtain source code from a source repository, access data hosted at the victim, or exploreIntranet sites for valuable intellectual property."

The Register:
"Most resistance to 'Aurora' hack attacks futile, says report" http://www.theregister.co.uk/2010/03/01/aurora_resistence_futile/

Slashdot:"Aurora Attack — Resistance Is Futile, Pretty Much" http://it.slashdot.org/story/10/03/02/0047249/Aurora-Attack-mdash-Resistance-Is-Futile-Pretty-Much?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29&utm_content=Google+Feedfetcher

iSec report: https://www.isecpartners.com/files/iSEC_Aurora_Response_Recommendations.pdf (pdf)
google cache: http://74.125.47.132/search?q=cache:nTBX_4TzSYEJ:https://www.isecpartners.com/files/iSEC_Aurora_Response_Recommendations.pdf (html)

earlier blogoscoped coverage of attacks: http://blogoscoped.com/forum/168038.html#id168038

Juha-Matti Laurio [PersonRank 10]

14 years ago #

Also

http://www.wired.com/threatlevel/2010/03/source-code-hacks/

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!