Security report: For most, fighting ‘Aurora’ attacks futile

Tuesday, April 13, 2010 @ 06:04 PM gHale

Most businesses are defenseless against the types of attacks that hit Google and at least 33 other companies, according to a report that estimates the actual number of targeted companies could top 100.

The attackers behind the cyber assault dubbed Aurora patiently stalked their hand-chosen victims over a matter of months in an effort to identify specific end users and applications they could target to gain entry to corporate networks, according to the report prepared by security firm iSec Partners. Emails or instant messages that appeared to come from friends and trusted colleagues combined with potent zero-day vulnerabilities targeting common applications. In many cases, the attackers were able to circumvent specific versions of anti-virus programs.[private]

The report shows even employing best practices that IT departments have been following for years, they are not effective against the attacks. Google said the attackers were able to infiltrate its system and access its trade secrets. With the exception of Google and a handful of other organizations with budgets to support expensive information security teams, companies are unprepared to defend themselves against this new caliber of attacks, said iSec founding partner Alex Stamos.

In the days immediately following the Google revelation, investigators said up to 33 other companies suffered from the same attacks. That estimate, however, came from the analysis of just one command and control channel under the control of the attackers, Stamos said. After sifting through the contents of another 60 or so additional channels, Stamos said the number of compromised companies could be as high as 100. Most of those companies have totally unprepared IT departments.

The attackers showed painstaking perseverance in gathering information about vulnerable end users, often casing social networks to learn the identities of friends and business associates so instant messages and emails with poisoned links will appear more innocuous. They also employed an encyclopedic knowledge of corporate networking weaknesses that allowed them to convert a compromise of a single computer into a vector that would surrender unfettered access to a company’s most valuable crown jewels.

For companies to reverse the tide, they will have to make fundamental changes to the way they think about and manage security inside their network perimeters.

Chief among the changes is disabling all services that despite repeated warnings often remain on, such as LAN Manager Hash. Other recommendations include logging and inspecting all queries made to internal domain name system servers and building safeguards into the network that prevent access to key resources.

The following are steps IT and security teams can take to detect malicious activity:

  • Log and inspect DNS traffic.
  • Establish internal network surveillance capability.
  • Control inbound and outbound network traffic.
  • Expand log aggregation.
  • Expand Windows endpoint control.
  • Audit VPN access and enrollment.
  • Test malware scanning against known rootkits.

The pdf version of the report:[/private]

Leave a Reply

You must be logged in to post a comment.