Google, Adobe targeted by malware in coordinated attack
Google's disclosure on Tuesday evening that its systems, as well as those belonging to a number of other companies, were compromised to steal intellectual property on behalf of Chinese hackers serves as notice that no firm is immune to a cyber intrusion, experts said Wednesday.
Such an incident should put organizations on high alert, Chris Wysopal, CTO of application security firm Veracode, told SCMagazineUS.com on Wednesday. In the case of Google, the apparent goal of the thieves was to hijack the Gmail accounts of Chinese human rights proponents, according to a blog post from the internet giant. The hackers were able to access two accounts.
"I think it's going to be a wake-up call to a lot of nonfinancial companies that they're under the same style of attack, which I don't feel a lot of them feel the heat of," Wysopal said. "When I talk to [these] companies, there's just not the same amount of effort put into security."
According to an analysis by researchers at VeriSign iDefense, which cited anonymous sources, the attacks against Google and more than 30 other firms, are traceable to IPs and servers based in China, or to proxies belonging to the Asian nation.
The attack is similar to a July 2009 incident in which cybercriminals sent emails containing espionage trojans to some 100 IT-related firms, according to iDefense. In that ambush, the attackers used PDF files to deliver the malicious code, prompting experts to believe similar files were being leveraged in the latest incidents, which were detected by Google in December.
Likely not coincidentally, Adobe also admitted on Tuesday to being one of the companies targeted by the attack — on the same day it released a "critical" security update for its Reader and Acrobat software. (Adobe said it was not aware of any sensitive data being exposed.)
The most commonly used file type in targeted attacks last year has been PDF, being leveraged 47.3 percent of the time, according to anti-virus firm F-Secure.
"According to sources familiar with the present attack, attackers delivered malicious code used against Google and others using PDFs as email attachments," the iDefense report said. "Those same sources also claim that the files have similar characteristics to those distributed in the July attacks...The code samples obtained by iDefense from the July attack and the present attack are different, but they contact two similar hosts for command-and-control communication."
Organizations attempting to prevent successful attacks such as these should not concern themselves so much with the malware as they should with identifying and blocking the command-and-control hub being used to send orders to compromised machines, said Gunter Ollmann, vice president of research at Damballa, a botnet detection company.
"How the malware actually got there doesn't really matter," he told SCMagazineUS.com on Wednesday. "The trick lies with the remote control, the tether, that allows them to make changes, eavesdrop or target specific information, and then extract that information out."
Google, meanwhile, apparently is using the attack as justification to stop censoring results on its China-based search site, Google.cn, something that may require a total shutdown in China because such a move may violate law there.
"These attacks and the surveillance they have uncovered — combined with the attempts over the past year to further limit free speech on the web — have led us to conclude that we should review the feasibility of our business operations in China," the Google blog post said.
Secretary of State Hillary Clinton said in a statement Tuesday that senior officials are investigating.
"We have been briefed by Google on these allegations, which raise very serious concerns and questions," she said. "We look to the Chinese government for an explanation. The ability to operate with confidence in cyberspace is critical in a modern society and economy."