Friday, March 05, 2010

'Google' Hackers Alter Source Code?

Hackers who breached Google and other companies in January targeted source-code management systems, security firm McAfee asserted Wednesday. They manipulated a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property the system is meant to protect.
The software-management systems, widely used at businesses unaware that the holes exist, were exploited by the Aurora hackers in a way that would have enabled them to siphon source code, as well as modify it to make customers of the software vulnerable to attack. It’s akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.

Operation Aurora is a cyber attack which began in mid-December 2009 and continues into February 2010. The attack was first publicly disclosed by Google on January 12 in a blog post. In the blog post, Google said the attack originated in China. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical, and the Rand Corporation were also among the targets.

As Operation Aurora highlighted, advanced persistent threats (APT) are an increasingly common form
of complex and directed attacks that use insidious techniques for gaining access to privileged systems
and maintaining that access until all of the attackers’ goals and objectives have been met. Operation
Aurora employed an APT technique that proved extremely successful in targeting, exploiting, accessing,
and exfiltrating highly valuable intellectual property from its victims.

How Aurora Worked
Operation Aurora included numerous steps that all occurred invisibly in an instant from the user’s
perspective. As you can see in the illustration below, without any apparent signs of malicious intent
or actions, Operation Aurora completed its attack in six simple steps:
  1. A targeted user received a link in email or instant message from a “trusted” source.
  2. The user clicked on the link which caused them to visit a website hosted in Taiwan that also contained a malicious JavaScript payload.
  3. The user’s browser downloaded and executed the malicious JavaScript, which included a zero-day Internet Explorer exploit.
  4. The exploit downloaded a binary disguised as an image from Taiwan servers and executed the
    malicious payload.
  5. The payload set up a backdoor and connected to command and control servers in Taiwan.
  6. As a result, attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM) systems accessible by the compromised system. The compromised system could also be leveraged to further penetrate the network.
A white paper released by security firm McAfee during this week’s RSA security conference in San Francisco provides a couple of new details about the Operation Aurora attacks (.pdf) that affected 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and provided information to Google about malware used in the attacks.

No comments: