An e-mail arrives in an employees' inbox from a trusted friend with a interesting subject line, the employee opens unbeknownst to the employee they have initiated the chain of events that would later expand in a fabric known to the world as Operation Aurora. It has been two years since Google and thirty-three other commercial companies were breached in the famed Operation Aurora attack. The Advanced Persistent Threat used code obfuscation, social engineering, Zero-Day exploits, Remote Access Trojan and custom encryption mechanisms. The attackers leveraged the above methods to gain access to Gmail accounts , Intellectual Properties, and Source Code. Crippling the companies' confidentiality while opening the opportunity for degradation of data integrity, the attackers defeated the CIA triad. Prevention of future breaches like Operation Aurora have been addressed through patching and other security technologies.(InfosecEvents, 2010)
Operation Aurora was a directed attack at thirty-four United States Companies over the span of two months.(InfosecEvents, 2010) What made the attack successful was the Zero Day exploit in Internet Explorer 6. Windows claimed ignorance of the vulnerability CVE-2010-0249, found in Internet Explorer version 6 . (McAfee, 2010) According to National Vulnerability Database, the vulnerability “allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory”(NIST, 2010). The detailed steps the hackers took are reviewed in the next paragraphs. After the breach, the attackers placed a Remote Access Trojan and other malware to pipeline Google's Intellectual Property and Source Code to their servers. The Servers the hackers piped the IP and Source Code where found to be in Taiwan, making this electronic breach global. The name “Aurora” was the folder name on the attackers machine.(InfosecEvents, 2010)
McAfee's investigation into the attack, discovered that the hackers took six steps to reach their goal. I am going to describe it in three steps, by combining 2-5 into the second step. The first step involved a trusted friend sending an e-mail to the target. (McAfee Labs, 2010). The sophistication of the attack is in the details and success , which began with a phishing attack. The companies most likely used a type of e-mail filtering for spam so they hacked into e-mail accounts of low-hanging employees as well as those with privileges. By sending the e-mails to multiple employees at the different levels the hackers increased their chances of success. There is also proof that they had a few targets and the attackers sent e-mail to their friends in order to get to the main target. (InfosecEvents, 2010)
The second step is the key to the success of the attack, I will argue it is the most important. Like a duck it the water, the HTML page appeared to be doing nothing, but under the surface the code did all the work. This skillfully crafted page accomplished the three steps ; exploited an Internet Explorer 6 vulnerability through means of a NOP slide that pointed then to malicious code. If the IE vulnerability mentioned above did not exist the exploit would not exist. (NIST, 2010)
This code used a series of NOP Slides, a function of programming, designed to tell the CPU to do doing. After the series of NOP Slides , the code pointed to the malicious payload.(Day, 2010) The Payload had 11 files; 6 dynamic link library (.dll) , 3 executable (.exe), 1 image (.jpg) and 1 text (.txt) .The malware first gathered the following data; Registry key, Service Pack name, OS version, and machine name. One executable installed a Remote Access Trojan; download in the background, the RAT authenticated with the command and control servers, using a customized encryption in place of SSL on port 443. Once authenticated the RAT created a backdoor. Three of the .dll files included call backs that allowed attackers to remotely search the network. (US-CERT, 2010)
With the users privileges, the attackers went through the servers searching for IP and Source code. Once retrieved, the data was pipe lined on port 443(HTTPS) to the servers in Taiwan. This web page as well as servers were hosted in Taiwan , evidence that lead investigators to believe the attacker were a Chinese entity. (InfosecEvents, 2010)
In the IT world , the CIA Triad is the holy grail to cyber security. In the Operation Aurora attack , all triad was destroyed. Confidentiality is the protection of data on a system. In the attack the hackers successfully stole Intellectual Property and source code. Although the hackers used authorized users accounts , they were not authorized users. The thirty-four companies lost confidentiality of their assets as soon as the vulnerability was exploited. Integrity is the accuracy and validity of the data on the networks. It is fair to say with the control that the hackers had ; being able to pipeline the IP and source code, altering the code would be simple as well as probable. Reports of the investigation did not note a loss in availability. This would make since because the goal was stealing IP , not a denial of service. Compromising Availability would have immediately notified the authorities of the network. Authorities would have intercepted the attack and it would have not been successful.(InfosecEvent, 2010)
Since the attack certain improvements have been made to prevent such an attack from occurring again. Microsoft issued a patch for the vulnerability, making it impossible to execute remote code. Microsoft also advises to use Data Execution Prevention (DEP) in IE 6 and in future versions enable DEP automatically. The attack file names have also been published to many sites, making it easy to search networks for the malicious files or characteristics. There are several IP addresses associated with the attack, that can be blocked from communicating with your network. In addition to technological improvements , awareness and training should be conducted for prevention as well, being that the phishing attack allowed the exploit to occur.(US-CERT, 2010)
In Conclusion, the master-minds behind Operation Aurora had all three qualities of a malicious attacker. The skills included ; knowledge of IE 6 exploit, programming in java script and HTML, and servers/network devices. The attackers had the opportunity because they successfully attacked thirty-four companies with the same methods. The motive of the attackers was the Intellectual Property and source code. With the IP and source code, the attackers could better project vulnerabilities in future product.(US-CERT, 2010)
Operation Aurora was a directed attack at thirty-four United States Companies over the span of two months.(InfosecEvents, 2010) What made the attack successful was the Zero Day exploit in Internet Explorer 6. Windows claimed ignorance of the vulnerability CVE-2010-0249, found in Internet Explorer version 6 . (McAfee, 2010) According to National Vulnerability Database, the vulnerability “allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory”(NIST, 2010). The detailed steps the hackers took are reviewed in the next paragraphs. After the breach, the attackers placed a Remote Access Trojan and other malware to pipeline Google's Intellectual Property and Source Code to their servers. The Servers the hackers piped the IP and Source Code where found to be in Taiwan, making this electronic breach global. The name “Aurora” was the folder name on the attackers machine.(InfosecEvents, 2010)
McAfee's investigation into the attack, discovered that the hackers took six steps to reach their goal. I am going to describe it in three steps, by combining 2-5 into the second step. The first step involved a trusted friend sending an e-mail to the target. (McAfee Labs, 2010). The sophistication of the attack is in the details and success , which began with a phishing attack. The companies most likely used a type of e-mail filtering for spam so they hacked into e-mail accounts of low-hanging employees as well as those with privileges. By sending the e-mails to multiple employees at the different levels the hackers increased their chances of success. There is also proof that they had a few targets and the attackers sent e-mail to their friends in order to get to the main target. (InfosecEvents, 2010)
The second step is the key to the success of the attack, I will argue it is the most important. Like a duck it the water, the HTML page appeared to be doing nothing, but under the surface the code did all the work. This skillfully crafted page accomplished the three steps ; exploited an Internet Explorer 6 vulnerability through means of a NOP slide that pointed then to malicious code. If the IE vulnerability mentioned above did not exist the exploit would not exist. (NIST, 2010)
This code used a series of NOP Slides, a function of programming, designed to tell the CPU to do doing. After the series of NOP Slides , the code pointed to the malicious payload.(Day, 2010) The Payload had 11 files; 6 dynamic link library (.dll) , 3 executable (.exe), 1 image (.jpg) and 1 text (.txt) .The malware first gathered the following data; Registry key, Service Pack name, OS version, and machine name. One executable installed a Remote Access Trojan; download in the background, the RAT authenticated with the command and control servers, using a customized encryption in place of SSL on port 443. Once authenticated the RAT created a backdoor. Three of the .dll files included call backs that allowed attackers to remotely search the network. (US-CERT, 2010)
With the users privileges, the attackers went through the servers searching for IP and Source code. Once retrieved, the data was pipe lined on port 443(HTTPS) to the servers in Taiwan. This web page as well as servers were hosted in Taiwan , evidence that lead investigators to believe the attacker were a Chinese entity. (InfosecEvents, 2010)
In the IT world , the CIA Triad is the holy grail to cyber security. In the Operation Aurora attack , all triad was destroyed. Confidentiality is the protection of data on a system. In the attack the hackers successfully stole Intellectual Property and source code. Although the hackers used authorized users accounts , they were not authorized users. The thirty-four companies lost confidentiality of their assets as soon as the vulnerability was exploited. Integrity is the accuracy and validity of the data on the networks. It is fair to say with the control that the hackers had ; being able to pipeline the IP and source code, altering the code would be simple as well as probable. Reports of the investigation did not note a loss in availability. This would make since because the goal was stealing IP , not a denial of service. Compromising Availability would have immediately notified the authorities of the network. Authorities would have intercepted the attack and it would have not been successful.(InfosecEvent, 2010)
Since the attack certain improvements have been made to prevent such an attack from occurring again. Microsoft issued a patch for the vulnerability, making it impossible to execute remote code. Microsoft also advises to use Data Execution Prevention (DEP) in IE 6 and in future versions enable DEP automatically. The attack file names have also been published to many sites, making it easy to search networks for the malicious files or characteristics. There are several IP addresses associated with the attack, that can be blocked from communicating with your network. In addition to technological improvements , awareness and training should be conducted for prevention as well, being that the phishing attack allowed the exploit to occur.(US-CERT, 2010)
In Conclusion, the master-minds behind Operation Aurora had all three qualities of a malicious attacker. The skills included ; knowledge of IE 6 exploit, programming in java script and HTML, and servers/network devices. The attackers had the opportunity because they successfully attacked thirty-four companies with the same methods. The motive of the attackers was the Intellectual Property and source code. With the IP and source code, the attackers could better project vulnerabilities in future product.(US-CERT, 2010)
Bibliography
InfosecEvents.(2010).Operation Aurora, Zero-Day IE Flaw and Google Hacking – Don't Panic! Retrieved from http://infosecevents.net/2010/01/28/operation-aurora-zero-day-ie-flaw-and-google-hacking-dont-panic/
McAfee Labs. (2010). Protecting Your Critical Assets. Lessons Learned from“Operation Aurora”. Retrieved from http://www.wired.com/images_blogs/threatlevel/2010/03/operationaurora_wp_0310_fnl.pdf
US-CERT.(2010).Malicious Activity Associated with “Aurora” Internet Explorer Exploit. Retrieved from http://www.us-cert.gov/cas/techalerts/TA10-055A.html
McAfee. (2010). More Details on “Operation Aurora”. Retrieved from http://blogs.mcafee.com/mcafee-labs/more-details-on-operation-aurora \
NIST.(2010).Vulnerability Summary of CVE-2010-0249. Retrieved from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249
Day, Greg. (2010). Advanced Persistent Threats- Time to Run For Cover? Retrieved from
http://365.rsaconference.com/community/connect/blog/2010/12/20/webcast-advanced-persistent-threats-time-to-run-for-cover
No comments:
Post a Comment