The same sophisticated cyber attack that has targeted Facebook and Twitter has also targeted Apple, according to an exclusive revelation by Reuters. In this latest occurrence, the attackers were able to infect several Mac computers belonging to some employees of Cupertino, exploiting the same 0-Day Java vulnerability used to carry on the attacks against the two well known social networks.
Further details have emerged in the meantime: particularly noticeable is the fact that the attackers used the consolidated “watering hole” technique, compromising a well-known mobile developer forum (iphonedevsdk.com) accessed by the employees of Cupertino (and of many other high profile companies). This has raised the concern that maybe the attackers aimed to manipulate the code of smartphone apps to compromise a huge number of users. Currently the forums shows a banner inviting users to change their passwords.
Apple is working closely with the Federal Bureau of Investigation and has released an update to disable its Java SE 6. Although there is no clear evidence about the Chinese origin of the attack, unfortunately it comes out in the worst possible period: after the wave of attacks against U.S. Media, Mandiant, the firm that investigated the attack against the NYT, released a detailed report suggesting a link between the hacks against U.S. assets. and the Chinese Army.
After the revelation of the Chinese attack against the Gray Lady, other U.S. media companies have admitted to have been targeted by (probably state-sponsored) Chinese Hackers in 2012. Immediately after the NYT, even the Wall Street Journal has revealed to have been infiltrated, and similar rumors have emerged for Bloomberg and the Washington Post in what appears to be a systematic hostile campaign.
In particular the attack against the NYT has apparently confirmed the inadequacy of signature-based antivirus against targeted attacks. As the same New York Times admitted, over the course of three months, the foreign attackers installed 45 pieces of custom malware, but the antivirus in use, made by Symantec, was only able to detect one instance of malware over the entire sample.
The security firm has immediately replied to those allegations:
“Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
Said in few words: signatures alone are not enough. The sophistication of the next generation targeted attacks require advanced security capabilities such as reputation and behavioral analysis.
According to the scant information available even the Washington Post used Symantec technology to protect its assets, and even in this case it could not prevent the hostile attackers to systematically compromise computer systems.
I wonder if this double coincidence could somehow be connected to the infamous leak of Symantec antivirus source code which occurred (or better was made public) approximately one year ago (the 6th of January 2012). As a consequence of the breach (that allegedly dates back to 2006) the source code of two old products (Symantec Antivirus Corporate Edition 10.2 and Symantec Endpoint Protection 11) were leaked on the Internet. Of course the affected products have been greatly modified since then, nevertheless it is likely that any core functions have not evolved, so in theory, hostile hackers could have taken a (detailed) look at them and have consequently found ways to evade the antivirus (some claim that a similar scenario happened for the infamous RSA breach).
Of course this is just a speculation, maybe the reality is much more simple: traditional antivirus technologies are not enough to thwart sophisticated targeted attacks.
- Symantec: don’t blame us for New York Times hack (go.theregister.com)
- Symantec Gets A Black Eye In Chinese Hack Of The New York Times (forbes.com)
The New York Times has recently reported the news related to a (yet another) targeted cyber-attack against JAXA (Japan Aerospace Exploration Agency). This targeted attack has allegedly led to the exfiltration of sensitive information related to Epsilon, a solid-fuel rocket prototype supposed to be used also for military applications, suggesting the targeted attack is probably part of a cyber-espionage campaign.
The targeted attack has been carried on by mean of a malware installed in a computer at Tsukuba Space Center. Before being discovered, on November 21, the malicious executable has secretly collected data and sent it outside the agency.
This is the second known targeted attack against JAXA in less than eleven months: on January 13, 2012, a computer virus infected a data terminal at Japan’s Space Agency, causing a leak of potentially sensitive information including JAXA’s H-2 Transfer Vehicle, an unmanned vessel that ferries cargo to the International Space Station. In that circumstance officials said that information about the robotic spacecraft and its operations might have been compromised.
Unfortunately the above cyber-attacks are not episodic circumstances, confirming that Japan is a hot zone from an information security perspective, and a coveted target for cyber espionage campaigns. Undoubtedly, the strategic importance of this country in the global chessboard and hence its internal secrets and the intellectual property of its industries are more than a good reason for such similar targeted cyber-attacks.
The list is quite long…
19 September 2011: Mitsubishi Heavy Industries, Japan’s biggest defense contractor, reveals that it suffered a hacker attack in August 2011 that caused some of its networks to be infected by malware. According to the company 45 network servers and 38 PCs became infected with malware at ten facilities across Japan. The infected sites included its submarine manufacturing plant in Kobe and the Nagoya Guidance & Propulsion System Works, which makes engine parts for missiles.
24 October 2011: An internal investigation on the Cyber Attack against Mitsubishi finds signs that the information has been transmitted outside the company’s computer network “with the strong possibility that an outsider was involved”. As a consequence, sensitive information concerning vital defense equipment, such as fighter jets, as well as nuclear power plant design and safety plans, was apparently stolen.
25 October 2011: According to local media reports, computers in Japan’s lower house of parliament were hit by cyber-attacks from a server based in China that left information exposed for at least a month. A trojan horse was emailed to a Lower House member in July of the same year, the Trojan horse then downloaded malware from a server based in China, allowing remote hackers to secretly spy on email communications and steal usernames and passwords from lawmakers for at least a month.
27 October 2011: The Japanese Foreign Ministry launches an investigation to find out the consequences of a cyber-attack targeting dozens of computers used at Japanese diplomatic offices in nine countries. Many of the targeted computers were found to have been infected with a backdoor since the summer of the same year. The infection was allegedly caused by a spear-phishing attack targeting the ministry’s confidential diplomatic information. Suspects are directed to China.
2 November 2011: Japan’s parliament comes under cyber attack again, apparently from the same emails linked to China that already hit the lawmakers’ computers in Japan’s lower house of parliament. In this circumstance, malicious emails are found on computers used in the upper chamber of the Japanese parliament.
13 January 2012: Officials announce that a computer virus infected a data terminal at Japan’s space agency, causing a leak of potentially sensitive information. The malware was discovered on January 6 on a terminal used by one of its employees. The employee in question worked on JAXA’s H-2 Transfer Vehicle, an unmanned vessel that ferries cargo to the International Space Station. Information about the robotic spacecraft and its operations may thus have been compromised and in fact the investigation shows that the computer virus had gathered information from the machine.
20 July 2012: The Japanese Finance Ministry declares to have found that some of its computers have been infected with a virus since 2010 to 2011 and admits that some information may have been leaked. 123 computers on 2,000 have been found infected and, according to the investigation, the contagion started in January 2010, suggesting that information could have been leaked for over two years. The last infection occurred in November 2011, after which the apparent attack suddenly stopped.
Two months again and the World will assist to the 2012 London Olympic Games. Unfortunately the same is not true for Information Security Professional for which the Olympic Games have started approximately two years ago in Iran, more exactly during the summer of 2010 when the infamous malware Stuxnet (the first 21st Century Cyber Weapon) became public, unleashing its viral power to the entire World.
Apparently Olympic Games have nothing to deal with Stuxnet… Only apparently since “Olympic Games” is just supposed to be the code-name of the cyber operation, begun under the Bush administration and accelerated by Mr. Obama, aimed to build the first Cyberweapon targeting the Iranian Nuclear Facilities. This is in few words the genesis of Stuxnet, at least according to a controversial article published by The New York Times, which anticipates a book on the same argument by David E. Sanger (Confront and Conceal, Obama’s Secret Wars and Surprising Use of American Power), and which is generating a comprehensible turmoil.
Of course many words have been spent on the argument and probably (too) many will be spent as Stuxnet has not proven to be an isolated case. Moreover (is this a coincidence?) these revelations of the NYT came out in the aftermath of the discovery of the Flame Malware which is further fueling the tension in Middle East and, if officially confirmed, could set a potentially dangerous precedent for other countries looking to develop or expand their own clandestine cyber operations.
I think I cannot give any useful contribution to the debate, if not a humble suggestion to read this interesting interview to F-Secure CRO Mykko Hypponen who explains the reason antivirus companies like his failed to catch Flame and Stuxnet… If really the alleged NYT revelations will encourage other countries to enhance their cyber arsenal, there is much to be worried about, even because the 21st century cyber weapons have shown, so far, a clear attitude to escape from the control of their creators.
Probably it was a quite easy prediction, however it looks like what I suggested on my random thoughts on the RSA Breach has definitively come true: RSA was not the target, probably its customers were.
On this front, the last two days were quite turbulent, and what seemed initially a simple speculation of an attack using compromised SecureID seeds targeted to “a very large U. S. defense contractor”, is revealing to be one of several attacks towards military contractors of U.S. Defense, using the data stolen during the famous breach of March.
According to a source with direct knowledge of the attacks, quoted in the above linked Reuters article:
The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
In any case EMC, the parent company of RSA, and the other main U.S. defense contractors possibly involved refused to comment.
I was not surprised by these details, more than one month ago I delineated a possible attack scenario which seems to be very close to what happened, at least for Lockheed Martin. Since the token on its own it is not enough to carry on a successful attack (it must be linked to the owner and very often the real password is also combined with a PIN), other combined actions must be performed to obtain the missing pieces of the puzzle.
I suggested a possible scenario of exploiting the weakness of software tokens, for instance by mean of specific keylogger malware to grab user details and the PIN. It is not exactly what happened in case of Lockheed Martin, but the real attack scenario is quite close since a keylogger was involved as well and used to access the intranet and consequently to get access to the internal network: as a matter of fact, for security reasons many companies use a double layer of authentication for remote access and internal resources. In this case the company forced 100.000 users to reset their passwords.
In reality, as stated by Rick Moy, president of NSS Labs, the initial RSA attack was followed by malware and phishing campaigns seeking specific data that would link tokens to end-users, suggesting that the current attacks may have been carried out by the same hackers. And the game is not over.
Unfortunately the use of phishing to lure the users (and to attack an organization for cybercrime purposes) is not surprising as well. Nowadays this technique, to initially target the users with phishing, leading them to download malware, is the “main engine” of APTs (Advanced Persistent Threats) and it is revealing to be the common denominator of the main breaches and huge scale attacks of this annus horribilis for Information Security. The fact that in this circumstance it was used in combination with the duplicated key of SecureID is only the last unedited variant, and I am afraid it will not be the last.
Fortunately, in any serious situation there is always a flash of humor: according to this article of NYT, the intruders had been detected as they were trying to transfer data by security software provided by NetWitness Corporation, a company that provides network monitoring software. Does NetWitness Corporation sound familiar to you? Of course It does indeed! In April, just after the breach, NetWitness was acquired by RSA’s parent company, EMC.
As Morpheus stated: “Fate, it seems, is not without a sense of irony”, and this is worthwhile for Information Security as well.