More Content - Including Podcasts

Friday, March 26, 2010

Impact of Operation Aurora on IT Managers

The IT community is still talking about APT attacks, the fall-out of Operation Aurora, and organised malicious attacks and exploits. There's a lot of information and opinions out there, but the root question to most IT managers (and more-so to the executive/shareholders they ultimately answer to) is "what does this mean to my organisation?

How do you quickly assess the impact to your organisation? What is your level of risk?

The starting point is to have a non-commercial, objective understanding of what all this discussion is about. To understand the scope and impact outside out of the fear factor associated with trying to sell you something.

What Was Operation Aurora?
Operation Aurora was a specific organised type of APT (advanced persistent threat) attack that targeted intellectual property held by Google, and was also reported to have targeted up to 34 other organisations. The true target was suspected to be the email accounts of Chinese political dissidents on the GMail servers, and while aspects of the attack were reported as successful, the true scope of what information was actually captured has not been completely divulged to my knowledge.

The exploited code was a ground zero HTML object memory vulnerability in Internet Explorer (Microsoft Security Advisory 979352), which allowed a trojan to be installed on the compromised computer; the trojan would then contact command & control servers (located in Illinois, Texas, and Taiwan) over an SSL connection. The compromised system receives commands from the c&c servers, and also uploads data that it has collected. That data primarily consists of other machines within the protected network in which it resides which are also susceptible to the exploit and any private intellectual property. In particular, it appears that a target of this aspect of the exploit was the content of source code repositories. The vulnerability exploited is known as Hydraq and has been identified by most major AV & computer security organisations including Symantec.

What is the Risk Now?
Since the exploit is now known, you as an IT manager have all the tools at hand for the remediation the exploit on your computers. If your users do not make use of Microsoft Internet Explorer you've done some serious mitigation right there. Once the patch from MS is applied you've removed the risk for this particular trojan. If you have not had this patch applied in your environment, you still are at risk. Further, any infected systems must get cleaned. If you have systems currently infected, it may be very difficult to catch the infection purely by firewall means as the systems are communicating out to the c&c servers using a well known port. However, most of your end user systems shouldn't be making SSL calls out of the firewall, so that should be a good clue there.

No comments: