About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve » Red Hat Diaries

The iSEC Aurora Report

Tough news.


Buy It

Try It

SAN FRANCISCO (Rixstep) — iSEC Partners have released their report on the Aurora attack that hit Google and over 100 other corporations. Their findings are going to be hard for most corporations to swallow.

Background

iSEC interviewed a number of victims of the Aurora attack and found a pattern.

  1. Attacker socially engineered victim (often in an overseas office) to visit malicious website.
  2. Malicioius website exploited an IE vulnerability to load malware on target Windows machine.
  3. Malware now ran and contacted a control server, likely identified by a dynamic DNS address.
  4. Attacker escalated privileges on the corporate Windows network with cached or local administrator credentials.
  5. Attacker accessed an Active Directory server to obtain the password database which could be cracked onsite or offsite.
  6. Attacker used cracked credentials to obtain VPN access or created a fake user in the VPN access server.
  7. Attack method now branched to either steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore intranet sites for valuable intellectual property.

Piece of cake.

Tactical Recommendations

iSEC found that traditional defence strategies do not work when it comes to protecting Windows networks. This includes antivirus software which iSEC categorically condemn as less than useless.

  1. Log and inspect DNS traffic.
  2. Establish internal network surveillance capability.
  3. Control inbound and outbound network traffic.
  4. Expand log aggregation to include at least the following.
    1. Security and system event logs from Windows member servers.
    2. Security, system, and application event logs from domain controllers.
    3. Login and SSH logs from UNIX servers.
    4. DNS request and response records from all local resolvers.
    5. Alerts from internal IDS sensors.
    6. Request logs from web proxy devices.
    7. Web access logs from intranet sites and applications.

  5. Expand Windows endpoint control.
    1. Disable the use of local administrator access for day to day activities.
    2. Utilise a patch solution that can update non-Microsoft products.
    3. Consider application whitelisting technologies.

  6. Audit VPN access and enrolment.
  7. Test malware scanning against known rootkits.

Things get a bit tougher.

Strategic Recommendations

Preparing for the modern targeted threat is essential.

  1. Build a security operations team.
  2. Secure your overseas offices.
  3. Classify and catalog sensitive data.
  4. Secure your Active Directory network.
    1. Make domain administrator account logins smartcard-only.
    2. Do not use shared local accounts.
    3. Beware of using domain admin accounts in automated processes.
    4. Set GPO to reduce authentication attack danger.
    5. Audit domain users for unusual permissions.
    6. Deploy read-only domain controllers in overseas offices.
    7. Consider an external 'forest' with two way trust for remote offices.

Most of the above is sound advice for any network, Windows in it or otherwise. Just take the Windows-related stuff out and you've something important to consider.

Lessons Learned

iSEC sum up with a number of general observations.

  • Attackers don't care about the front door. The front door is for dweebs - that's where everybody expected the hackers to hit ten years ago. Today they're backdoor men - they get in through unwitting Windows users.

  • Current antivirus solutions are not working. This can't be stressed enough - load up on all the free and commercial AV you want and you still won't be one iota safer. They're signature-based and they're static. And the hackers will know about the AV you're using and the version you're using. They'll craft their weapons to coast right by.

    AV doesn't work. Period.

  • Patching can't protect against zero day exploits. You have one flimsy perimeter of defence with Windows. You can only protect against known exploits. Not too cool.

  • You might be playing in the big leagues. Meaning you're getting hit with the same big guns aimed at the Fortune 500s. But what's more important is to realise you're not getting attacked by PFYs anymore - the hackers themselves are 'big leagues'.

Homework

See Also
Antisource: ZeuS
abuse.ch: Zeus Tracker
Wikipedia: Zeus Trojan
Rants: The Malware Ruse
MDL: Malware Domain List
Prevx: Test Your FTP Logon
Rants: The Microsoft Ghetto
The Technological: Wsnpoem
NetWitness: Kneber White Paper
YouTube: Zeus Bot: Under Watch
Rants: ;DECLARE @S CHAR(4000);
Fortiguard: Zeus: God of DIY Botnets
Rants: Fighting Malware on Windows
The Technological: They Think It's OK
WSJ: Broad New Hacking Attack Detected
NetworkWorld: Malware Infects Space Station
Webroot: One Click, and the Exploit Kit's Got You
NetworkWorld: America's 10 Most Wanted Botnets
Reuters: Zeus Attacks Department of Transportation
ZBot data dump discovered with over 74,000 FTP credentials
Krebs on Security: Zeus Attack Spoofs NSA, Targets .gov and .mil
Hindu News: UAB computer forensics link Internet postcards to virus
Trusteer: Measuring the in-the-wild effectiveness of Antivirus against Zeus (PDF)
Washington Post: More than 75,000 computer systems hacked in one of largest cyber attacks

ZeuS is a nasty infection to have.
 - Richard S Westmoreland

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.