After the large scale attack on Google and more than 100 other corporations late last year, research has shown that companies are defenseless. In a study by iSEC on response recommendation for “Aurora,” seven common patterns were identified. Many of these patterns center around common online practices.
A typical attack, says iSEC, would proceed something like “The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. This website uses a browser vulnerability to load custom malware on the initial victim’s machine. The malware calls out to a control server, likely identified by a dynamic DNS address. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.”
These findings about the Aurora program are significant, indicating considerable amounts of research on behalf of the attackers have made companies internet best practices useless against the attacks. iSEC founding partner Alex Stamos said “Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies.” The attackers also had an outstanding understanding of corporate weaknesses.
“These guys really understand how to take control of one laptop and turn it into domain admin access,” Stamos explained. “People are not well prepared for this kind of stuff.” For companies to prevent against this type of attack, they will need to make fundamental changes with security in their corporate networks. The study makes a few recommendations including disabling all services that despite repeated warnings often remain on.