« October 2009 · April 2010 · November 2017 »

December 2009
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
January 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031
February 2010
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728

Calendar:

  • No entries for February 2010.
  • 29.01.2010: Pushdo DDoS'ing or Blending In?
  • 19.01.2010: See below.
  • 16.01.2010: DDoS for Hire - More cooperation, or new competition? UPDATED
  • 09.01.2010: DDoS for Hire - More cooperation, or new competition?
  • 16.12.2009: Conficker may be forgotten, but it's not gone...
  • 14.12.2009: When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
Newest first Oldest first

Tuesday, 19 January 2010

Cyber Espionage: Death by 1000 Cuts

Google Kick Starts a Real Look at the Problem

The recent events surrounding a targeted intrusion at Google have intrigued many and sparked numerous recent debates on a variety of issues. While Shadowserver is familiar with several of the events surrounding this compromise, we are not getting up to the minute updates or fully clued into everything that happened. With that said there are a number of things we would like to say and do not need much more information about this specific event in order to say them. A few items here will come as no surprise to a few but should continue to open the eyes of others.

In a recent CBS 60 Minutes segment Jim Lewis, a Director at the Center for Strategic and International Studies (CSIS), described a major attack or “digital Pearl Harbor” that occurred in 2007 against the U.S. where massive amounts of data were stolen by foreign entities. These were neither the first attacks nor were they the last attacks against the U.S. would see. These attacks have continued daily and are leading to what Lewis has called “the death of a thousand cuts.” Little by little organizations of all types are being broken into and having intellectual property and other information stolen.

Unfortunately we can tell you these scenarios are playing out day in and day out on a massive scale, whether we recognize it or not.

Cyber Espionage Intrusions Run Rampant: Google Compromise is *NOT* atypical

Targeted cyber intrusions are occurring daily at a very staggering level. Industries in the United States are heavily targeted but this truly is a global problem that is facing nearly every nation. These are not your run of the mill cyber attacks. They may have varying levels of sophistication, however, the attacks are often much more advanced than what most users have and will likely ever see. The next closest thing, perhaps on a parallel playing field, is those that are stealing vast amounts of money from banking systems that require two-factor authentication and/or dual approvers to transact. In these cases the attacks often start off extremely broad and are narrowed down.

These attacks seek to exfiltrate information from the targets or use them to further attack their infrastructure or other trusted parties. We should not be surprised as there are several stories dating back to at least 2005 which start tell the same tale. In 2005 a Time magazine article introduced us to Titan Rain and gave us a very interesting look into cyber attacks apparently coming from China. In early 2008 we saw a detailed BusinessWeek report on cyber espionage attacks affecting various governments, defense contractors, and corporate entities. Nearly a year later we saw the Gh0stnet Report telling a similar tale affecting the Tibetan community. Even more recently we learned of targeted attacks against Solid Oak Software in which source code was stolen and ultimately introduced into a product produced by two Chinese companies. Even the law firm representing Solid Oak Software has come under attack in the last week. Here we are in early 2010 being surprised by the same thing all over again.

The reality is that these attacks have not slowed down at all. In fact they may be in overdrive. You might start to see a theme arise in this post around that idea. Google has stirred up some real attention what many do not realize is a very widespread problem.

A Few Major Problems

Organizations that are successfully targeted in these compromises often have three things in common:

1. They have something the attackers want. (Yes, we covered this already, but the second item is where it gets scary).
2. They not only have no idea they have been successfully compromised, they also had no idea they had even been targeted.
3. They are not adequately equipped to completely deal with the compromise and often do not understand the potential ramifications.


How do I know this to be true? Well I am unfortunately often the bearer of bad news for many organizations on this very subject. These are not theoretical victims but actual victims of which many are from large corporations, institutions, and establishments that you are very likely familiar with. You will just have to take our word for it, as there will be no name dropping here.

The next major problem is that many of these attacks are relatively sophisticated. Most of them come via e-mail and appear to be from someone known to the recipient in attacks that are known as spear phishing. In fact in some cases it is literally impossible to spot the malicious e-mail message. These e-mail messages generally contain a malicious attachment or a link to a malicious file. Many of these threat completely or mostly evade anti-virus detection, at least for long enough to be effective. The attacks generally involve the use of a 0-day vulnerability or an exploit for a recently patched security issue that relies on your software being out of date. In some cases the attachment or link may just go straight to a binary that does not rely on an exploit but rather a somewhat foolhardy user.

Exploits That Cause the Hemorrhaging

We recently saw from the Google saga two items that may have lead to one or more compromises at the company. The first thing we heard was mention of the 0-day PDF that exploit CVE-2009-4324 which we were already familiar with. The next item we learned of was a brand new 0-day in Internet Explorer (IE) as detailed in CVE-2010-0249. This is pretty exciting as it shows our attackers have access to some pretty interesting stuff.

This is not the first time a 0-day IE vulnerability has been used in a targeted attack and it likely will not be the last. However, the real weapon of choice here which we see on a daily basis is malicious PDF files. In the last few years attacking Adobe Acrobat [Reader] platforms has probably been the number one method by which targeted cyber intrusions have been perpetuated. No I do not have cold hard facts to back this up, but I have plethora of evidence that points to this. I have seen enough malicious PDFs over the last few years and back tracked a number of compromises with various organizations that I have worked with to know this is a huge problem.

Twice in 2009 Shadowserver have put out details on two 0-day vulnerabilities that were discovered in the wild and being exploited by multiple groups. You can see write-ups from us on these two issues here and here. Time after time the same sets of actors get a hold of these exploits and immediately put them to work.

Recent years have seen plenty of other attacks against Microsoft with vulnerabilities in WordPad (Text Converter for Word 97), Word, PowerPoint, Excel, and more – which have all been used to conduct cyber espionage attacks alongside products from other companies too. However, as of recent Adobe products have been a major target for hackers. In several recent cases such as the ones cited above, the exploits were especially dangerous as they worked against pretty much every version of the product at the time past and present.

The vector by which a substantial number of these exploits are delivered is also a bit ironic. A very large portion of targeted attacks come by way of Google's Gmail and Yahoo! webmail. This isn't to say all of them come from them, but from what I have seen these numbers are a bit staggering as well. The contagio blog has recently been posting information on actual spear phish e-mails. These post include more than just malicious attachment information. They contain details on the entire e-mail message, which shows the sender and often includes the header information. Peruse the blog and count how many of these rather sophisticated attacks are coming from these providers. These results match what we have seen and heard from others as well.

Attribution: Easier Said Than Done

One thing that has come out of this recent debacle is finger pointing at the Chinese government. We are going to withhold judgment here for the exact reasons we are writing this section. How often are we every 100% sure of anything? Don’t worry it’s a rhetorical question. Attribution is a very difficult thing to do. Clearly pointing the finger right at the Chinese government is not something I would do. I might suspect them of being behind some of these attacks, but I would not come out and make a definitive statement to that effect. However, with that being said, there is a lot of evidence pointing back to China on a number of these attacks. The least of which is command and control IP addresses being located in China. That alone of course does not implicate the government.

What is quite interesting is that the U.S. government will be issuing a demarche to the Chinese government looking for an explanation and some feedback on this whole issue that occurred with Google. We are very interested to see the response to this if there is one. It would be easy to pile on a number of other issues that could be tacked onto this query. We have seen plenty of evidence that could be used to point a big finger, but as mentioned that is not something we will be doing.

We are Failing to Stop the Bleeding

If most of us do not even see the problem, how can we possibly stop it? Massive amounts of data are being stolen every week and very little is being done about it. Most victims are unaware its happening and by the time they find out (if they find out) it is too late. What do you do when all your research and competitive data is gone? Imagine going to the negotiating table where the other side already knows everything you are going to say. These are just some of the scenarios are likely playing out. This is not something you want to happen to you.

Allow me to give you a generalized break down of industries we have seen as confirmed victims of groups that can be referred to as the Advanced Persistent Threat (APT). A large majority of these apply to both U.S. and non-U.S based industries.

• Aerospace
• Cellular Companies
• Commerce Organizations
• Communications Systems
• Defense Contractors
• Energy (Oil/Gas/others)
• Environmental
• Financial Institutions
• Fortune 500
• Government
• Government Consulting
• Human Rights Organizations
• International Aid Organizations
• Law Firms
• News Organizations
• Olympic Committees
• Satellite
• Tibetan Community
• University Research Institutions


This is just a short list and keep in mind what we know is only a very very small piece of the pie. This should really scare you. This is a real problem that we are not prepared to face and are not adequately addressing. Unfortunately I do not come to you with solutions in this post, but I think we need to start recognizing that we are in dire need of a change in the way we operate. This post may seem a bit sensationalist, but I assure you we are not straying from reality or even warping the perspective. If anything we have still over simplified the issues and likely not even aware of the worst that is going on. Chances are if you have anything of strategic value or international importance, you have likely been targeted and may very well have been compromised.

=>Posted January 19, 2010, at 06:32 AM by Steven Adair