A few days ago, Google published a not saying that they were targeted by an adversary which successfully
On January 12th I (and thousands of others!) received notice from Google saying that they "detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." Note that the attack was not on Google's products (web search, advertising, YouTube, Gmail, etc.). The attack was against Google corporate, which is likely protected with the same kinds of firewalls, IPS, and AV which any Fortune 500 company uses. Google also mentioned that, in the course of investigating the attack, they discovered that they were only one of many companies that were targeted as part of the same attack.
On January 14, George Kurtz (McAfee's CTO) published information saying that they are "working with multiple organizations which were impacted by the attack" that famously hit Google. As part of their investigation, they found a new Zero Day exploit in Internet Explorer. George goes on to say:
As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.
Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.
Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6.
End Quote
Microsoft's Response: Normally, Microsoft tempers their Security Advisories by trying to make customers understand to what degree adversaries are exploited an particular vulnerability. Version 1.0 of the security advisory mentions that they are only aware of one customer who was actually hit by an exploit for this vulnerability. I have never seen Microsoft publish a SA without there being some type of wide-spread exploitation. Microsoft has no acceptable work around.
Germany has taken an unheard of step. The German Office for Internet Security has recommended that citizen not use Internet Explorer version 6, 7, or 8 on Windows XP, Vista, or Windows 7 until Microsoft issues a patch.
McAfee (and others) have reported that code to exploit the IE vulnerability is public.
Anti-virus is of limited use against this threat. Anti-Virus works best against exploits which many customers have already seen. A dedicated attacker could download a malware toolkit, create the exploit, and send it to a few employees in minutes. It would be an attack that the AV has never seen before, and thus can only provide limited protection.
References:
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/
http://siblog.mcafee.com/cto/%E2%80%9Caurora%E2%80%9D-exploit-in-google-attack-now-public/
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://www.dw-world.de/dw/article/0,,5132998,00.html
No comments:
Post a Comment