Hackers who breached Google and other companies in January targeted source code management systems, security firm McAfee asserted Wednesday, manipulating a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property it is meant to protect.
The software management systems, widely used at businesses unaware that the holes exist, were exploited by the so-called Aurora hackers in a way that would have enabled them to siphon source code as well as modify it to make customers of the software vulnerable to attack - - akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.
A white paper (.pdf) released by security firm McAfee during this week's RSA security conference in San Francisco provides a couple of new details about the “Operation Aurora" attacks that affected some 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and also provided information to Google about malware that was used in the attacks.
According to the paper, the hackers gained access to software configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company's product. Stealing the code would also allow attackers to examine the source code for vulnerabilities in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.
“[The SCMs} were wide open," says Dmitri Alperovitch, McAfee's vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways -- much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."
Many of the companies that were attacked used the same source code management system made by Perforce, a California-based company whose products are used by many large companies. McAfee's white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but the company said it also would be looking at other source code management systems in the future. The paper doesn't indicate exactly which companies were using Perforce or had vulnerable configurations installed.
As previously reported, the attackers gained initial access by conducting a spear- phishing attack against specific targets within the company. The targets received an e- mail or instant message that appeared to come from someone they knew and trusted. The communication contained a link to a web site hosted in Taiwan that downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user's Internet Explorer browser.
A binary disguised as a JPEG file then downloaded to the user's system and opened a backdoor onto the computer and set up a connection to the attackers' command and control servers, also hosted in Taiwan.
The software management systems, widely used at businesses unaware that the holes exist, were exploited by the so-called Aurora hackers in a way that would have enabled them to siphon source code as well as modify it to make customers of the software vulnerable to attack - - akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.
A white paper (.pdf) released by security firm McAfee during this week's RSA security conference in San Francisco provides a couple of new details about the “Operation Aurora" attacks that affected some 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and also provided information to Google about malware that was used in the attacks.
According to the paper, the hackers gained access to software configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company's product. Stealing the code would also allow attackers to examine the source code for vulnerabilities in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.
“[The SCMs} were wide open," says Dmitri Alperovitch, McAfee's vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways -- much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."
Many of the companies that were attacked used the same source code management system made by Perforce, a California-based company whose products are used by many large companies. McAfee's white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but the company said it also would be looking at other source code management systems in the future. The paper doesn't indicate exactly which companies were using Perforce or had vulnerable configurations installed.
As previously reported, the attackers gained initial access by conducting a spear- phishing attack against specific targets within the company. The targets received an e- mail or instant message that appeared to come from someone they knew and trusted. The communication contained a link to a web site hosted in Taiwan that downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user's Internet Explorer browser.
A binary disguised as a JPEG file then downloaded to the user's system and opened a backdoor onto the computer and set up a connection to the attackers' command and control servers, also hosted in Taiwan.
For more information contact All About Jazz.
