On January 12th, 2010 Google publicly revealed that they were the victim of a “highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”1
Google was not the only company affected by this attack; at the time Google notified over 30 other companies of infection by this malware. In the time since then, further investigations have uncovered that over one hundred companies may have been targeted, although it’s difficult to ascertain how closely related these attackers are to Google’s assailants.

iSEC Partners has been investigating this attack with several victims, and has found a number of common oversights and vulnerabilities that enabled these attackers to be successful. There has been a great deal of discussion around the Aurora2 malware suite due to the large amount of information released by the anti-virus vendors3
. While finding and investigating an infection by Aurora is an important component of responding to this incident, we believe it is important to take into account the overall actions of the people behind these attacks when considering how to respond.

Despite the diversity of victims in these attacks, we have seen a common pattern in the attacks, which generally proceed like this:

1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
2. This website uses a browser vulnerability to load custom malware on the initial victim’s machine.
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.

In this document we outline our recommendations for organizations that have not been contacted or found evidence of an Aurora infection. Known affected organizations can contact us for help putting together a more aggressive incident response plan.

The rest of the report is available here.