Hack of Google, Adobe Conducted Through Zero-Day IE Flaw
•By Kim Zetter
•January 14, 2010 |
•2:27 pm |
•Categories: Hacks and Cracks
Editor’s note: This story has been updated with a link to a Microsoft advisory about the new vulnerability as well as a Microsoft blog post discussing ways for users to reduce their risk of attack.
The recent hack attack on Google, Adobe and other companies occurred through exploitation of a zero-day vulnerability that affects many versions of Internet Explorer, according to Microsoft and a security researcher with a leading anti-virus firm.
Microsoft learned about the vulnerability only Wednesday evening, said the researcher, who asked not to be identified because he’s not authorized to speak with the press.
Update: Microsoft has posted an advisory about the new vulnerability and issued a statement confirming that hackers breached Google and other unspecified companies using it.
The company indicated the flaw does not affect IE version 5.01 with service pack 4 and is difficult to exploit in other versions. The company also has so far not seen widespread attacks using the flaw, “only targeted and limited attacks exploiting IE6.”
There is no existing patch for the memory-corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware onto the user’s computer.
“It’s pretty targeted so the reality is that it’s only currently being used against these targeted companies,” the researcher said. He couldn’t say how many of the other 33 companies hit in the hack attack were breached in this way.
In a blog post published last Thursday, Microsoft provided suggestions for users on how they can mitigate their vulnerability until a patch can be released.
Zero-day vulnerabilities are software security flaws for which there is currently no patch. Researchers discovered a memory-corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is new.
Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack had originated from China, the company said.
Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it also had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”
Neither Google nor Adobe provided details about how the hacks occurred.
Threat Level reported Tuesday that at least 34 companies were breached, some of them through a malicious PDF e-mail attachment that exploited a zero-day vulnerability in Adobe’s Reader and Acrobat applications. Through that vulnerability, the hackers were able to install a Trojan program called Trojan.Hydraq on the user’s computer to siphon credentials and other data to gain further entry into the company’s network, according to security firm iDefense.
The hackers targeted the companies’ source-code repositories, iDefense said, and succeeded in many case in accessing those files. The hackers then transmitted stolen data to servers in the United States maintained by Rackspace before siphoning them to IP addresses in Taiwan.
The anti-virus researcher doesn’t know the specifics about how Adobe was attacked but says the Hydraq trojan is the same malware that Adobe found on its systems, and it was delivered through the IE vulnerability. His company has been working closely with Adobe to investigate the attack and received samples of the malware to examine.
He said Adobe employees were likely targeted in a spear-phishing attack. This occurs when hackers send targeted e-mails to recipients that contain links to malicious websites that exploit a browser vulnerability.
When an Adobe employee visited such a site, the Hydraq trojan was loaded automatically to their computer.
The researcher said he doesn’t know what the hackers were able to access inside Adobe’s network once they were inside.
Adobe has not responded to requests from Threat Level for comment.
Adobe announced in mid-December that a new zero-day vulnerability in its Reader and Acrobat programs was being actively targeted by attackers. The company made the announcement after security researchers not affiliated with Adobe discovered attacks being conducted against the vulnerability. Adobe patched the critical vulnerability only on Tuesday, the day it and Google announced they had been hacked.
Anti-virus firm McAfee has published a blog post confirming that a previously undisclosed vulnerability in IE was used to hack into several of the targeted companies. The attacks have been dubbed “Operation Aurora,” believed to be the name the hackers gave their attack. A McAfee spokesman told Threat Level that the company’s researchers had been working with a number of companies that were targeted in the attack since last week, prior to Google’s announcement.
The McAfee blog post, written by George Kurtz, McAfee’s chief technology officer, indicates that the IE vulnerability may be just one of many attack routes the hackers used and that the attacks signify a wind change in cyberespionage. He notes that the attacks, which occurred over the Christmas and New Year holidays, were timed to hit during a period when companies would be least likely to detect them.
“The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection,” Kurtz writes. “These highly customized attacks known as ‘advanced persistent threats’ (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered — it is too late. All I can say is wow. The world has changed.”
Updated with information from McAfee blog post and from Microsoft.
Google Hack Attack Was Ultra Sophisticated, New Details Show
By Kim Zetter January 14, 2010 | 8:01 pm | Categories: Breaches, Cybersecurity, Hacks and Cracks
Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by the anti-virus firm McAfee.
“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”
Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.
The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch.
“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.”
The hack attacks, which are said to have targeted at least 34 companies in the technology, financial and defense sectors, have been dubbed “Operation Aurora” by McAfee due to the belief that this is the name the hackers used for their mission.
The name comes from references in the malware to the name of a file folder named “Aurora” that was on the computer of one of the attackers. McAfee researchers say when the hacker compiled the source code for the malware into an executable file, the compiler injected the name of the directory on the attacker’s machine where he worked on the source code.
Minutes after Google announced its intrusion, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had also been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”
Neither Google nor Adobe provided details about how the hacks occurred.
In the wake of Threat Level’s Thursday story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies, Microsoft published an advisory about the flaw that it already had in the works.
McAfee has added protection to its products to detect the malware used in the attacks.
Although the initial attack occurred when company employees visited a malicious website, Alperovitch said researchers are still trying to determine if this occurred through a URL sent to employees by e-mail or instant messaging or through some other method, such as Facebook or other social networking sites.
Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other.
“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking.
McAfee obtained copies of malware used in the attack, and quietly added protection to its products a number of days ago, Alperovitch said, after its researchers were first brought in by hacked companies to help investigate the breaches.
Although security firm iDefense told Threat Level on Tuesday that the Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch says the malware he examined was not previously known by any anti-virus vendors.
iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies. The hackers sent e-mail to targets that carried malicious PDF attachments.
Alperovitch said that none of the companies he examined were breached with a malicious PDF, but he said there were likely many methods used to attack the various companies, not just the IE vulnerability.
Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan. Alperovitch wouldn’t identify the systems in the United States that were involved in the attack, though reports indicate that Rackspace, a hosting firm in Texas, was used by the hackers. Rackspace disclosed on its blog this week that it inadvertently played “a very small part” in the hack.
The company wrote that “a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”
Alperovitch wouldn’t say what the attackers might have found once they were on company networks, other than to indicate that the high-value targets that were hit “were places of important intellectual property.”
iDefense, however, told Threat Level that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases.
Alperovitch says the attacks appeared to have begun Dec. 15, but may have started earlier. They appear to have ceased on Jan. 4, when command-and-control servers that were being used to communicate with the malware and siphon data shut down.
“We don’t know if the attackers shut them down, or if some other organizations were able to shut them down,” he said. “But the attacks stopped from that point.”
Google announced Tuesday that it had discovered in mid-December that it had been breached. Adobe disclosed that it discovered its breach on Jan. 2.
Aperovitch says the attack was well-timed to occur during the holiday season when company operation centers and response teams would be thinly staffed.
The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. Generally, Alperovitch said, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.
“Cyber criminals are good … but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” he said.
Alperovitch said that McAfee has more information about the hacks that it’s not prepared to disclose at present but hopes to be able to discuss them in the future. Their primary goal, he said, was to get as much information public now to allow people to protect themselves.
He said the company has been working with law enforcement and has been talking with “all levels of the government” about the issue, particularly in the executive branch. He couldn’t say whether there were plans by Congress to hold hearings on the matter.