“Aurora”ResponseRecommendations

February17th,2010PreparedbyAlexStamos,Partner

Version1.0

Courtesyof

©2010iSECPartners,Inc. PublicandNon‐Confidential

BackgroundOnJanuary12th,2010Googlepubliclyrevealedthattheywerethevictimofa“highlysophisticatedandtargetedattackonourcorporateinfrastructureoriginatingfromChinathatresultedinthetheftofintellectualpropertyfromGoogle.”1Googlewasnottheonlycompanyaffectedbythisattack;atthetimeGooglenotifiedover30othercompaniesofinfectionbythismalware.Inthetimesincethen,furtherinvestigationshaveuncoveredthatoveronehundredcompaniesmayhavebeentargeted,althoughit’sdifficulttoascertainhowcloselyrelatedtheseattackersaretoGoogle’sassailants.iSECPartnershasbeeninvestigatingthisattackwithseveralvictims,andhasfoundanumberofcommonoversightsandvulnerabilitiesthatenabledtheseattackerstobesuccessful.TherehasbeenagreatdealofdiscussionaroundtheAurora2malwaresuiteduetothelargeamountofinformationreleasedbytheanti‐virusvendors3.WhilefindingandinvestigatinganinfectionbyAuroraisanimportantcomponentofrespondingtothisincident,webelieveitisimportanttotakeintoaccounttheoverallactionsofthepeoplebehindtheseattackswhenconsideringhowtorespond.Despitethediversityofvictimsintheseattacks,wehaveseenacommonpatternintheattacks,whichgenerallyproceedlikethis:

1. Theattackersociallyengineersavictim,ofteninanoverseasoffice,tovisitamaliciouswebsite.2. Thiswebsiteusesabrowservulnerabilitytoloadcustommalwareontheinitialvictim’smachine.3. Themalwarecallsouttoacontrolserver,likelyidentifiedbyadynamicDNSaddress.4. TheattackerescalateshisprivilegeonthecorporateWindowsnetwork,usingcachedorlocaladministrator

credentials.5. TheattackerattemptstoaccessanActiveDirectoryservertoobtainthepassworddatabase,whichcanbe

crackedonsiteoroffsite.6. TheattackerusescrackedcredentialstoobtainVPNaccess,orcreatesafakeuserintheVPNaccessserver.7. Atthispoint,theattackvariesbaseduponthevictim.Theattackermaystealadministratorcredentialstoaccess

productionsystems,obtainsourcecodefromasourcerepository,accessdatahostedatthevictim,orexploreIntranetsitesforvaluableintellectualproperty.

InthisdocumentweoutlineourrecommendationsfororganizationsthathavenotbeencontactedorfoundevidenceofanAurorainfection.Knownaffectedorganizationscancontactusforhelpputtingtogetheramoreaggressiveincidentresponseplan.

1http://googleblog.blogspot.com/2010/01/new‐approach‐to‐china.html2AKATrojan.Hydraq3http://www.symantec.com/connect/blogs/trojanhydraq‐incident

©2010iSECPartners,Inc. PublicandNon‐Confidential

TacticalRecommendationsThesearerecommendedstepsITandsecurityteamscantaketodetectthetypeofmaliciousactivityexemplifiedbytheAuroraincident.

1. LogandinspectDNStraffic.ThemosteffectivesurveillancemechanismfortrackingtheautomatedandmanualattackshasbeenmonitoringofinternalDNSqueries.DNSisacommoncontrolchannelformalware,andtheseattackershaveshownanaffinityforusingdynamicDNSproviderstoprovidecontrolinformationinDNSresponsesallowingtheattackerstoquicklymovecommandandcontrolserversaheadofinvestigators.Inresponsetothisincidentwearerecommendingthatpotentialvictims:

a. EnableloggingontheirlocalDNSrespondersandcentrallyaggregatetherequestandresponsebodies

b. MonitorandauditallrequestsfordynamicDNSnames

c. InvestigatedevicesmakingsuspiciousorrepeatedqueriestodynamicDNSnames

2. Establishinternalnetworksurveillancecapability.Withouttheabilitytoinspectandcaptureinternalnetworktrafficitisextremelydifficulttotracethistypeofattack.Thequickestsolutionthatcouldprovidethiscapabilitywouldbethedeploymentofsoftware‐basedIntrusionDetectionSystem(IDS)sensorsinsidethecorporatefirewalls,possiblyusingafreeplatformsuchasSnort.Inthelongrunthiscapabilitycouldbereplacedbyacommercialproductormanagedservice,althoughsomeofourclientshavehaddifficultyeffectingrulechangesintheirmanagedIDSsensorsquickenoughtobeeffective.

3. Controlinboundandoutboundnetworktraffic.TheinitialrouteofinfectionforalloftheknownattackshasbeenthroughexploitingflawsinInternetExplorerorAdobeAcrobatusingcontenthostedonexternalservers.Althoughtheseexploitswere“0‐days”andundetectablebyrulesetbasedmalwarescanners,victimswithextensivecontrolsaroundInternetaccessbyworkstations,laptopsandservershavebeenabletorespondmorequicklytotheseattacks,controloutboundcontrolchannelsanduselogdatatotrackdowninfectedhosts.Westronglyrecommendthatallcompaniespreparingforthislevelofadversarydeploycontent‐scanningwebproxieswithextensive,long‐livedloggingofrequests.DNSresolutionshouldhappenontheseproxies,andadvancedclientsshouldutilizeSSLinterceptioncapabilitybydeployingacorporateCA.

4. Expandlogaggregation.Thecompanieswiththemosteffectiveresponsetotheseattackshaveutilizedtheircentrallogaggregationmechanismstotracktheactionsoftheseattackers.Thestorageoflogdatainmultiplesystemscanseriouslyhamperinvestigationeffortsandwearestronglyrecommendingthatclientscreateacentralloggingcapabilitydedicatedtosecuritymonitoringandincidentresponse.Werecommendthatthesecuritylogaggregationsystemcontainatleasttheselogs:

a. SecurityandSystemeventlogsfromWindowsmemberservers.

b. Security,System,andApplicationeventlogsfromDomainControllers.

c. LoginandSSHlogsfromUNIXservers.

d. DNSrequestandresponserecordsfromalllocalresolvers.

e. AlertsfrominternalIDSsensors.

f. Requestlogsfromwebproxydevices.

g. WebaccesslogsfromIntranetsitesandapplications.

©2010iSECPartners,Inc. PublicandNon‐Confidential

5. ExpandWindowsendpointcontrol.NetworkswithlooselymanagedWindowsdesktopsandlaptopsareespeciallyvulnerabletoattacksagainstendusers.Werecommendthatsecuritysensitiveorganizations:

a. Disabletheuseoflocaladministratoraccessforday‐to‐dayactivities.Inmostorganizationslocaladministratoraccessshouldbeeliminatedforalmostallemployeesontheircorporate‐managedsystems.

b. Utilizeapatchsolutionthatcanupdatenon‐Microsoftproducts.ManagingthepatchlevelsofpopularproductssuchasAdobeFlash,Reader,MozillaFirefoxandSunJavaiskeytopreventingcommonexploitsfromworkingonyourusers.

c. Considerapplicationwhitelistingtechnologies.

6. AuditVPNaccessandenrollment.Wehavefoundevidencethattheseattackersprefertoestablishremoteaccessvia“legitimate”VPNportalsinsteadofalwaysrelyingonthecontrolchannelsfortheircustommalware.ItisadvisabletobeginauditingyourVPNaccessserversforunexpectedusersandtoconsiderprotectionsthatpreventattackersfromeasilyissuingthemselvesVPNaccessoncetheycompromiseasmallnumberofuseraccounts.

7. Testmalwarescanningagainstknownrootkits.Ourinvestigationshaveshownthattheattackersarewillingtousevariantsofstandardrootkitsintheirattacksalongsidetheircustomcode,suchasTLD3.Werecommendthatorganizationstesttheeffectivenessoftheirmalwarecontrolmechanismsbyintentionallyinfectingamanagedsystemwithcommonrootkitsandrunninga“fullscan”.

©2010iSECPartners,Inc. PublicandNon‐Confidential

StrategicRecommendationsThesearelongertermrecommendationstohelpprepareforthistypeofadvanced,targetedthreat.Thislistisinnowayexhaustive,butrepresentsseveralissuesthatwecommonlyseeinclientnetworks.

1. Buildasecurityoperationsteam.Manyofoursuggestionswillresultinthecreationofmuchlargerdatasetsofuseforquicklyfindingandrespondingtoattackersinsideofacompany’sperimeter.Unfortunately,thisdataisuselessifthereisnostafftomonitororrespondtoanomalies.Apropersecurityoperationsteamisrelatedtobutstandsapartfromsecurityarchitectureandauditfunctions.Itisimportantthatsecurityoperationsemployeesaregrantedaccesstoproductionsystemsandloggingfacilitiesandareabletoquicklyretrievedatafrommonitoringsystems.

2. Secureyouroverseasoffices.Manyofthecompaniesinvolvedhavefoundthatalargeportionoftheirinfectedworkstationsoriginatedinanoverseasoffice.Thepreferredrouteofattackseemstobeviasocialnetworksandchatchannels,whichareeffectiveinsociallyengineeringtheseemployeesintoclickingonamaliciouslinkoropeninganinfectedfile.ItisimportantforcentralITsecurityteamstoevaluatewhatITfunctionsareabsolutelyrequiredforthefunctioningoftheirremoteofficesandtorestrictinternalnetworkaccesstothoseresources.Morerestrictivecompaniesshouldconsiderwhichsocialnetworksandchatmechanismsshouldbeprovidedforuseoncorporatesystems.

3. Classifyandcatalogsensitivedata.Victimsofthesetypesofattackswhodonotunderstandthedispositionoftheircriticaldataandsystemsstartatadisadvantage.Havingthislistinhandatthestartofanincidentresponsecanguidetheresponderstothesystemsofgreatestimporttothevictimandattacker.

4. SecureyourActiveDirectorynetwork.AthemeofmanyoftheseintrusionshasbeenaconcertedeffortbytheattackerstoutilizethecorporateActiveDirectoryforesttogainprivilegeacrossthenetwork.Theattackersarequitepatient,andhaveutilizedsoftwarethatwaitsinthebackgroundforauseofaNTLMcredentialbyadomainadminforoneofseveralservicesonthemachine(RDP,SMB,DCOM)thatthencapturestheNTLMhashforcracking.Oncetheyhavethishash,theattackerisabletopulltheentireActiveDirectorydatabaseforofflinepre‐computeddictionarycracking.ThereareseveralstepstosecuringyourADforestfromtheseattackers:

a. MakeDomainAdministratoraccountloginssmartcard‐only.Thisconfigurationgreatlyreducestheriskoftheftandmisuseofadministratorcredentials.Ifbackuploginswithpasswordsarerequired,theyshouldbedistinctaccountslimitedtoconsoleloginonly.

b. Donotusesharedlocalaccounts.Theuseoflocal(non‐Domain)accountswithasharedpasswordisacommontechniqueincorporateITenvironments,especiallywhenmachinesareimagedfromacommoncorporatebuild.UnfortunatelysharedaccountscaneasilybecrackedbyofflinecomputingresourcesortheNTLMhashusedasapasswordequivalent.

c. BewareofusingDomainAdminaccountsinautomatedprocesses.ManyITdepartmentsusesystemmanagementandsecuritydevicesthatregularlylogintoWindowsclientsandserverstocheckforpatchlevels,configurationcomplianceortoperformlogaggregation.Whethertheseloginsareperformedbydedicateddevicesorsoftwareinstalledonadomainmemberserver,itisoftenpossibleforanattackertodowngradetheauthenticationhandshaketoNTLMandperformabrute‐forceattacktoretrievethedomainadminpassword.Theseprocessesshouldbeconfiguredtousenon‐Administratorusers

©2010iSECPartners,Inc. PublicandNon‐Confidential

wheneverpossible.ConsiderupgradingsuchsystemstoWindows7orWindowsServer2008R2andusingGPOtoauditorrestrictNTLMtraffictoremoteservers.

d. SetGPOtoreduceauthenticationattackdanger.ThereareseveralActiveDirectorygrouppolicysettingsthatcanincreasethedifficultyofattackinglocalanddomaincredentials.Althoughthedetailsofthesesettingsgobeyondthescopeofthisdocument,thereareseveralexcellentpublicresourcesforWindowshardening4.ImportantsettingstohardenincludetheNoLMHash5,LDAPSigning,DCOMPacketSecurityandLANManagerAuthenticationLevel6policies.

e. AuditDomainusersforunusualpermissions.Attackerswhogainescalatedprivilegesonadomainoftencreateuseraccountsandjointhemtounusualgroups,suchasBackupAdmins,ordirectlygrantthemselvesprivilegesunnecessaryfornormaluse.ThereareseveralcommercialtoolsforauditinganActiveDirectoryforpermissionissues,whichcanbeusefulinfindingoutlieraccounts.

f. Deployread‐onlydomaincontrollersinoverseasoffices.ActiveDirectoryforestswiththeWindows2008functionallevelhavetheoptionofdeployingread‐onlyActiveDirectoryservers.ThisisacriticalsecurityenhancementtoWindowsnetworksthatisappropriateforuseinsemi‐trustedphysicalenvironments.Itshouldbenoted,however,thatpassworddatabasecrackingtechniquesarealsoavailableagainstread‐onlydomaincontrollers.

g. ConsideranexternalForestwithatwo‐waytrustforremoteoffices.AdministrativesecurityboundariesinADareenforcedattheForest,nottheDomainlevel.CreatingdistinctADForestswithtwo‐waytrustsandSIDFilterQuarantine7enabled(thedefault)allowsseamlessKerberosauthenticationbetweenallsystemswhilepreventingelevationofprivilegeattacksthatarepossiblebetweensystemsinthesameForest.Alternatively,ActiveDirectoryFederationServicescanbeusedtoenableuser‐transparent,cross‐Forestresourceaccesswithevenmorelimitedinterconnectivityandtrust.

4http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml5http://support.microsoft.com/kb/2996566http://technet.microsoft.com/en‐us/library/dd560653(WS.10).aspx7http://technet.microsoft.com/en‐us/library/cc772633(WS.10).aspx

©2010iSECPartners,Inc. PublicandNon‐Confidential

LessonsLearned

Althoughnoneoftheattacksortechniqueusedinthisseriesofattacksareparticularlynovel,theskillset,patienceandtenacityoftheattackersismuchgreaterthanmostenterprisesareequippedtodealwith.Herearesomegenerallessonsthatwecantakefromtheseattacks:

• Attackersareignoringthefrontdoor.Despitethefocusofthesecurityindustryandenterprisesecurityteamsonproductionnetworksandapplications,attackershavelearnedthat“backdoor”attacksagainstendusersaremuchmoreeffectiveatgainingaccesstomajorcorporations.Itisgenerallymuchhardertosecureinternalcorporatethanproductionnetworks,andinternalandexternalsecurityteamswillneedtorefocusondesigningtrustworthycorporateITenvironments.

• CurrentAnti‐Virussolutionsarenotworking.Allofthevictimswehaveworkedwithhadalreadydeployedenterprise‐wideanti‐virussolutions,noneofwhichpreventedtheinitialattacksortheescalationofprivilegewithinthenetwork.Anti‐virustestsaremostlyrule‐based,andthemajorityofheuristicdetectionmechanismscanbeeasilybypassedifanattackeriscustomizinghismalwareforthatproduct.EnterpriseITdepartmentsshouldnotrelyonthepromisesoftheirvendorsorthirdparties,andshouldverifytheeffectivenessoftheirAVsolutionbytestingitagainstknownadvancedmalwareandrootkits.

• Patchingsometimesisnotenough.Thevulnerabilitiesexploitedduringthisattackwere0‐days,meaningnopatchormitigationdirectionswereavailabletocorrecttheseflaws.Promptandverifiablepatchingisstillakeycomponentofanyinformationsecurityplan,butITgroupsshouldkeepinmindthatadvancedattackerswilloftenbeabletofindnewflawsincomplicatedend‐userproductslikewebbrowsers,officesuitesanddocumentreaders.

• Youmightbeplayinginthebigleagues.Themostinterestingaspectofthisincidentisthatanumberofsmalltomediumsizedcompaniesnowjointheranksofmajordefensecontractors,utilitiesandmajorsoftwarevendorsaspotentialvictimsofextremelyadvancedattackers.Thisisconcerningformanyreasons,nottheleastofwhichisthatevenmostFortune‐500companieswillnotbeabletoassemblesecurityteamswiththediversityofskillsnecessarytorespondtothistypeofincident.ItisextremelyunlikelythatSMBswillbeabletoproperlyprepareforthesethreatsalone,openingthedoorformoreeffectiveproductandmanagedservicesolutionsthanwhatiscurrentlyavailable.

VersionHistory0.9–InitialDraft(Feb9,2010)0.91–Addedlessonslearned(Feb12,2010)0.92–AddedadditionalWinhardeningtips(Feb15,2010)

©2010iSECPartners,Inc. PublicandNon‐Confidential

1.0–Smallfixes,firstpublicrelease(Feb17,2010)