Microsoft discloses zero-day IE flaw used in China attacks
The organized and well-resourced cybercriminals who compromised systems at Google, Adobe and more than 30 other large companies used a previously unknown, zero-day Internet Explorer exploit as part of their arsenal to install data-stealing malware on target machines, researchers at McAfee revealed Thursday.
"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals," George Kurtz, McAfee's CTO, said in a blog post. "We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That's when the exploitation takes place, using the vulnerability in Microsoft's Internet Explorer."
Once an unsuspecting user clicks and installs the malware, typically delivered through some sort of social engineering ploy, it opens up a back door on the compromised machine, which allows the PC to communicate with a command-and-control center to receive commands.
"The attacker can now identify high-value targets and start to siphon off valuable data from that company," he said.
According to McAfee, the vulnerability exists on all versions of Windows, including the most recently released edition, Windows 7.
Microsoft on Thursday evening released an advisory that confirmed the flaw, present on Internet Explorer (IE) 6, 7 and 8 on Windows XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2. The advisory lists a number of mitigating factors and workarounds, including running IE in "Protected Mode" on Vista and later versions.
"At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6," the advisory said. "We have not seen attacks against other affected versions of Internet Explorer."
McAfee codenamed the incident "Operation Aurora" because the name "Aurora" was used as part of the file path in the attacks.
The operation is an "advanced persistent threat," (APT) defined as stealthy and targeted attacks that are perpetrated by intelligent cybercriminals with deep pockets and cocktails of nearly impossible-to-detect malware at their disposal, experts said.
Ed Skoudis, founder and senior security consultant at InGuardians, a penetration testing and incident response firm, said many organizations have fallen victim to APT. Some, though, don't even know it.
"What makes it advanced is that the attackers aren't just looking for the low-hanging fruit," he told SCMagazineUS.com on Thursday. "They are looking to be stealthy. They want to get in without being noticed and they want to stay unnoticed. They tend to be focused on long-term control and finding very juicy and valuable information assets."
He said organizations have tended to focus on stopping organized crime attacks, such as at Heartland Payment Systems, that are conducted to steal credit card numbers and other financial data.
"It's more easy to understand," he said. "It's a palpable and in-your-face kind of crime. But the APT thing is riding there under the screen. But it's real. Absolutely."
In the cases of APT attacks, the perpetrators are spies out to hijack intellectual property and other trade secrets, Skoudis said. They build their own malware from scratch, meaning anti-virus signatures won't work. In addition, the code is designed to evade behavioral detection.
Organizations, as a result, must be on the lookout for "strange connections," such as unauthorized traffic funneling between compromised machines and command-and-control hosts, Skoudis said. They also must analyze endpoints for things such as rootkit infection.
The APT isn't going away, he said.
"This is the new way things will be," Skoudis said.