Fwd: Operation Aurora

From: <somethoughts_at_aol_dot_com>
Date: Fri Jan 22 2010 - 06:12:11 CST

For those who were wondering how the Chinese broke through
Google's world-class security protection, here's a somewhat technical
description. Needless to say, any internet-based voting system would
become, at some point, the target of an attack at this level of
2 notes for non-techies
- McAfee is a company that specializes in computer security,
- The term "social engineering" is defined in wikipedia as
            "the act of _manipulating_
(http://en.wikipedia.org/wiki/Psychological_manipulation) people into performing actions or divulging
confidential information, rather than by breaking in or using technical hacking
(http://en.wikipedia.org/wiki/Social_engineering_(security)#cite_note-0) While similar to a _confidence trick_
(http://en.wikipedia.org/wiki/Confidence_trick) or simple _fraud_
(http://en.wikipedia.org/wiki/Fraud) , the term typically applies to trickery or deception for the purpose
of information gathering, fraud, or computer system access; in most cases
the attacker never comes face-to-face with the victim."

Jim Soper
George Kurtz is McAfee executive vice president and worldwide chief
technology officer. You can read his full blog at
others/_ (http://siblog.mcafee.com/cto/operation-%e2%80%9caurora%e2%80%9d

Operation “Aurora” Hit Google, Others
Thursday, January 14th, 2010 at 3:34 pm by George Kurtz

McAfee Labs has been working around the clock, diving deep into the
attack we are now calling Aurora that hit multiple companies and was
publicly disclosed by Google on Tuesday.

We are working with multiple organizations that were impacted by this
attack as well as the government and law enforcement. As part of our
investigation, we analyzed several pieces of malicious code that we have
confirmed were used in attempts to penetrate several of the targeted

New Internet Explorer Zero Day
In our investigation we discovered that one of the malware samples
involved in this broad attack exploits a new, not publicly known
vulnerability in Microsoft Internet Explorer. We informed Microsoft
about this vulnerability and Microsoft published an advisory and a blog
post on the matter on Thursday afternoon.

As with most targeted attacks, the intruders gained access to an
organization by sending a tailored attack to one or a few targeted
individuals. We suspect these individuals were targeted because they
likely had access to valuable intellectual property. These attacks will
look like they come from a trusted source, leading the target to fall
for the trap and clicking a link or file. That’s when the exploitation
takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that
allows the attacker to perform reconnaissance and gain complete control
over the compromised system. The attacker can now identify high value
targets and start to siphon off valuable data from the company.

Our investigation has shown that Internet Explorer is vulnerable on all
of Microsoft’s most recent operating system releases, including Windows
7. Still, so far the attacks we’ve seen using this vector have been
focused on Internet Explorer 6. Microsoft has been working with us on
this matter and we thank them for their collaboration.

While we have identified the Internet Explorer vulnerability as one of
the vectors of attack in this incident, many of these targeted attacks
often involve a cocktail of zero-day vulnerabilities combined with
sophisticated social engineering scenarios. So there very well may be
other attack vectors that are not known to us at this time. That said,
contrary to some reports our findings to date have not shown a
vulnerability in Adobe Reader being a factor in these attacks.

Operation “Aurora”
I am sure you are wondering about the name “Aurora.” Based on our
analysis, “Aurora” was part of the filepath on the attacker’s machine
that was included in two of the malware binaries that we have confirmed
are associated with the attack. That filepath is typically inserted by
code compilers to indicate where debug symbols and source code are
located on the machine of the developer. We believe the name was the
internal name the attacker(s) gave to this operation.

Changing The Threat Landscape
Blaster, Code Red and other high profile worms are definitely a thing of
the past. The current bumper crop of malware is very sophisticated,
highly targeted, and designed to infect, conceal access, siphon data or,
even worse, modify data without detection.

These highly customized attacks known as “advanced persistent threats”
(APT) were primarily seen by governments and the mere mention of them
strikes fear in any cyberwarrior. They are in fact the equivalent of the
modern drone on the battle field. With pinpoint accuracy they deliver
their deadly payload and once discovered – it is too late.

Operation Aurora is changing the cyberthreat landscape once again. These
attacks have demonstrated that companies of all sectors are very
lucrative targets. Many are highly vulnerable to these targeted attacks
that offer loot that is extremely valuable: intellectual property.

Similar to the ATM heist of 2009, Operation Aurora looks to be a
coordinated attack on many high profile companies targeting their
intellectual property. Like an army of mules withdrawing funds from an
ATM, this malware enabled the attackers to quietly suck the crown jewels
out of many companies while people were off enjoying their December
holidays. Without question this attack was perpetrated during a period
of time that would minimize detection.

All I can say is wow. The world has changed. Everyone’s threat model now
needs to be adapted to the new reality of these advanced persistent
threats. In addition to worrying about Eastern European cybercriminals
trying to siphon off credit card databases, you have to focus on
protecting all of your core intellectual property, private nonfinancial
customer information and anything else of intangible value.

We will continue to provide updates on this event as it continues to
unfold. As I said in my last post, this is only the tip of the iceberg.

OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Jan 31 23:17:01 2010

This archive was generated by hypermail 2.1.8 : Sun Jan 31 2010 - 23:17:02 CST