Operation Aurora. Impact on Google and other
McAfee Labs worked day and night, studying the attack, which we now call “Aurora” - a blow to many organizations and media outlets on Tuesday thanks to Google. We work with affected organizations as well as government and legal structures. One of the stages of our investigation was the analysis of a certain amount of malicious code, which, as we have seen, was used in attempts to penetrate the networks of attacked organizations.
During the investigation, we found that one of the instances of the malicious code used to attack, exploits the unpublished vulnerability of MS Internet Explorer. We reported this vulnerability to Microsoft, and they posted an explanation and reported it on their blog on Tuesday.
As with most “targeted” (targeted) attacks, violators gained access to a network of organizations, carrying out targeted attacks against one or several selected users. We assume that users were selected based on their access to an organization’s intellectual property. These attacks looked as if they were made from a trusted source, which led to a decrease in attention and the launch of malicious code via a link or opening a file. This is where the vulnerability of Microsoft Internet Explorer is exploited.
Once the malicious code is downloaded and installed, it opens the backdoor, allowing the attacker to gain complete control over the compromised system. Now the attacker was inside the company's network and could begin to “merge” the data important for the company.
Our investigation revealed that Internet Explorer contains a vulnerability in all its versions, including version 8 of Windows 7. However, the attackers mostly targeted the sixth version of the browser. We want to thank Microsoft for working with us during the investigation.
Although we identified the vulnerability of Internet Explorer as the main attack direction in this incident, quite a large part of the attacks was carried out thanks to a mixture of unpublished (zero-day) vulnerabilities and high-quality social engineering scenarios. So the direction in which the attacks took place may expand. In other words, as opposed to other reports, we did not find confirmation that Adobe Reader could be used for the attack.
I am sure you want to know where the name “Aurora” came from. Judging by our analysis, the word “Aurora” was part of the file path on the attacker's computer and was included in two binary malware files, which, as we have seen, are related to the attack. This file path is usually included by compilers as a pointer to the storage location of the source code and debugging symbols on the developer's computer. It seems to us that this word the attacker (s) called the operation between themselves.
Blaster, Code Red and other broad profile worms are in the past. The current harvest of malicious code is highly specialized, has its own purpose and is designed to infect, hide access, “drain” data or, even worse, to change it invisibly.
These flexibly modified attacks, known as advanced advanced persistent threats (APT), were first committed against governments, and just mentioning them is enough to thrill any cyber warlock. In fact, they are equivalent to a drone on the battlefield. With precision jewelery, they deliver their dangerous goods and are always found too late.
Operation Aurora changed the landscape around cyber threats. These attacks showed that companies of all spheres are very lucrative targets. Most are highly vulnerable to these directed attacks, which gives very significant booty: intellectual property.
Similar to the robbery of ATMs in 2009, Operation Aurora appears to be a coordinated attack on outstanding companies and aimed at their intellectual property. Like an army of zombies pulling money from ATMs, this malicious code allowed attackers to sneak treasures of companies while people were relaxing on Christmas holidays. Definitely, the attack was carried out at this time to hide the tracks.
All I can say is: “Wow!” The world has changed. The universal vulnerability model should now be adapted to the new realities of these APTs. In addition to Eastern European cybercriminals trying to steal credit card databases, you need to take care of basic intellectual property, private non-financial customer information, and other intangible assets.
We will keep you informed as events unfold. As I wrote in the previous message - this is only the tip of the iceberg.
George Kurtz, Information Security Specialist, McAfee Company.
')
UPD: Video demonstrating the work of the exploit:
The "Aurora" IE Exploit in Action from The Crew of the Praetorian Prefect on Vimeo .
UPD2: Published exploit itself. Link to the Praetorian Project.
Links to the habra man “ matrosov” www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb - On Ruby for Metasploit
ahmed.obied.net/software/code/exploits/ie_aurora.py - in Python.
Fresh Internet Explorer Vulnerability
During the investigation, we found that one of the instances of the malicious code used to attack, exploits the unpublished vulnerability of MS Internet Explorer. We reported this vulnerability to Microsoft, and they posted an explanation and reported it on their blog on Tuesday.
As with most “targeted” (targeted) attacks, violators gained access to a network of organizations, carrying out targeted attacks against one or several selected users. We assume that users were selected based on their access to an organization’s intellectual property. These attacks looked as if they were made from a trusted source, which led to a decrease in attention and the launch of malicious code via a link or opening a file. This is where the vulnerability of Microsoft Internet Explorer is exploited.
Once the malicious code is downloaded and installed, it opens the backdoor, allowing the attacker to gain complete control over the compromised system. Now the attacker was inside the company's network and could begin to “merge” the data important for the company.
Our investigation revealed that Internet Explorer contains a vulnerability in all its versions, including version 8 of Windows 7. However, the attackers mostly targeted the sixth version of the browser. We want to thank Microsoft for working with us during the investigation.
Although we identified the vulnerability of Internet Explorer as the main attack direction in this incident, quite a large part of the attacks was carried out thanks to a mixture of unpublished (zero-day) vulnerabilities and high-quality social engineering scenarios. So the direction in which the attacks took place may expand. In other words, as opposed to other reports, we did not find confirmation that Adobe Reader could be used for the attack.
Operation Aurora
I am sure you want to know where the name “Aurora” came from. Judging by our analysis, the word “Aurora” was part of the file path on the attacker's computer and was included in two binary malware files, which, as we have seen, are related to the attack. This file path is usually included by compilers as a pointer to the storage location of the source code and debugging symbols on the developer's computer. It seems to us that this word the attacker (s) called the operation between themselves.
Landscape change
Blaster, Code Red and other broad profile worms are in the past. The current harvest of malicious code is highly specialized, has its own purpose and is designed to infect, hide access, “drain” data or, even worse, to change it invisibly.
These flexibly modified attacks, known as advanced advanced persistent threats (APT), were first committed against governments, and just mentioning them is enough to thrill any cyber warlock. In fact, they are equivalent to a drone on the battlefield. With precision jewelery, they deliver their dangerous goods and are always found too late.
Operation Aurora changed the landscape around cyber threats. These attacks showed that companies of all spheres are very lucrative targets. Most are highly vulnerable to these directed attacks, which gives very significant booty: intellectual property.
Similar to the robbery of ATMs in 2009, Operation Aurora appears to be a coordinated attack on outstanding companies and aimed at their intellectual property. Like an army of zombies pulling money from ATMs, this malicious code allowed attackers to sneak treasures of companies while people were relaxing on Christmas holidays. Definitely, the attack was carried out at this time to hide the tracks.
All I can say is: “Wow!” The world has changed. The universal vulnerability model should now be adapted to the new realities of these APTs. In addition to Eastern European cybercriminals trying to steal credit card databases, you need to take care of basic intellectual property, private non-financial customer information, and other intangible assets.
We will keep you informed as events unfold. As I wrote in the previous message - this is only the tip of the iceberg.
George Kurtz, Information Security Specialist, McAfee Company.
')
UPD: Video demonstrating the work of the exploit:
The "Aurora" IE Exploit in Action from The Crew of the Praetorian Prefect on Vimeo .
UPD2: Published exploit itself. Link to the Praetorian Project.
Links to the habra man “ matrosov” www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb - On Ruby for Metasploit
ahmed.obied.net/software/code/exploits/ie_aurora.py - in Python.
Source: https://habr.com/ru/post/81137/
All Articles