Google recently announced that its China based location was the victim of an attack that targeted and compromised a critical internal system used to track the email accounts of those on China’s watch list. The system was designed to comply with government warrants for information concerning Chinese human rights activists. Some suspect China of targeting this specific system to circumvent the official warrant process in order to collect data on other Chinese citizens [1].
More alarmingly, this attack was not exclusively directed at Google. In all, at least 34 companies including Yahoo, Symantec, Northrop Grumman, Dow Chemical, Washington-based think tanks, and assorted human rights advocacy groups were compromised by the spear phishing attack [2].
At first rumored to be another Adobe flaw, closer examination by McAfee Labs revealed that the attack (code named “Aurora”) was actually a sophisticated zero-day vulnerability exploit against Microsoft’s Internet Explorer [3].
What should be most worrisome is not the zero-day in all versions of IE, but the new crop of “advanced persistent threats” that are siphoning money and intellectual property. These APTs are professionally organized, have extensive funding and employ smart people. The result: triple encrypted shell code which downloads multiple encrypted binaries used to drop an encrypted payload on a target machine which then establishes an encrypted SSL channel to connect to a command and control network [4]. This is serious stuff.
Only a few years ago the majority of web-based attacks seemed to be launched by individuals or small groups to collect credit card information. These attacks had seriously consequences, but the magnitude of the losses and the organization of the black market economy were still child’s play by today’s standards.
Current threats from the Eastern bloc are directed at massive monetary gain - probably in the area of tens of millions of dollars [5]. China appears hell bent on stealing state secrets and intellectual property from both governments and private business alike. The stakes are much higher, and the bad guys are much more capable of pulling off the heist.
China
We have known for a long time that China is engaged in actively sponsoring espionage. However, the focused targeting of private business is a newer, more sophisticated and lucrative threat. These spear fishing attacks are intensely researched and aimed at top level executives, and will become more common as time passes.
In a directly related point, consider the curious appearance of a new website called iiScan. This service (based in China) offers to scan your web application for vulnerabilities - for FREE. Just sign up and point their software to your website, and they will, ‘figure out’ how vulnerable to an attack you might be. After the scan is done, they will email you a PDF based report to your email account.
Wow. This service sounds like an overwhelmingly bad idea. It doesn’t take much to imagine all the things that could go wrong in this scenario, even if the Chinese government didn’t directly fund targeted attacks, IE didn’t have multiple zero-day exploits, and a proof of concept embedded malicious PDF exploit had not just been released. Can you say ‘Beijing Cocktail’?
It might very well turn out that NOSEC Technologies Co., Ltd. (the company behind iiScan) may be legitimate, or at least may have started out that way. Even if they are not actively attacking websites, it shouldn’t take long for them to become a high profile target for either private hackers, or for the Chinese government itself. What would be a better target than a database full of public websites and their known vulnerabilities? These sites, if not already compromised by iiScan, could be used as command and control drones, payload hosts, pieces of a distributed file-system, or merely SPAM relay channels.
Education and Armament
Everyday adds more proof that web application threats are being crafted by motivated professional organizations with deep pockets. Security needs to be taken very seriously, practiced diligently, and all users need be paranoid when surfing the web. This is especially important because the media is very cautious to report all the gory details of the real impact of cybercrime [6].
Installing preventative software is a good idea, too. Some of the latest tools and devices may help to prevent drive-by malware, spear phishing payloads, etc. Install Firefox and use plug-ins that flag suspected malware host sites. Use a personal web proxy, and restrict evil IPs. You can get the most comprehensive list of Korean and Chinese blocks (including iptables, htaccess files, dns zones, etc) from this page. Above all, stop clicking on those emails from your least technical friends that include an attached PowerPoint or PDF file to deliver a punch line. The villains take the Internet very seriously, and so should you.
