Do you have branch offices in China? iSec has published a new report outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection:
1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of.
Courtesy of slashdot.com