Friday, January 15, 2010

Operation Aurora - Google Attackers Used IE Zero Day; Internal Spy System Targeted

Via -

Several of the companies victimized in the attack that hit Google and dozens of other companies recently were compromised through the use of a new, unpatched vulnerability in Internet Explorer, experts say.

The flaw was used in a sophisticated attack that included victims receiving targeted emails with malicious attachments or links to malicious sites, which then exploited the flaw in IE. Researchers at McAfee have been working with some of the victim companies to investigate the attacks, and discovered the new IE vulnerability during the course of the investigation, according to a blog post by CTO George Kurtz.
As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.

Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.
This is the first detailed description of the methods the attackers used in at least some of the incidents, although there may have been other methods used against other victims. Google was the first to publicly disclose the attack on Tuesday, saying that its corporate network had been compromised and some intellectual property stolen. Adobe also disclosed an attack Tuesday, but has not confirmed that it was related to the same series of attacks that hit Google and more than 30 other companies.

Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.


Google's security team eventually managed to gain access to a server that was used to control the hacked systems, and discovered that it was not the only company to be hit. In fact, 33 other companies had also been compromised, including Adobe Systems, according to several sources familiar with the situation.
In related news, names of additional victims of this targeted attack, which appears to have targeted trade secrets and source code, are starting to trickle out. The Washington Post is reporting that list includes Yahoo, Symantec, Northrop Grumman and Dow Chemical. A source told me that router maker Juniper Systems Inc. also may have been victimized, although I am still trying to confirm that claim.

Update, 10:34 p.m: Juniper issued the following statement about claims that it, too, was one of the nearly three dozen companies hit by targeted attacks: ” Juniper Networks recently became aware, and is currently investigating, a cyber security incident involving a sophisticated and targeted attack against a number of companies. As with any investigation of this nature, Juniper does not disclose details.”

1 comment:

  1. The Aurora vulnerability is now in the wild: