CEO of FlashSky hanhaiyuan
Hanhaiyuan: strives to make security a basic attribute of the IT system. It helps customers improve their system security and detect and defend against APT attacks.
At present, the details of APT attacks are published in the United States. But it does not mean that APT attacks are targeted only in Europe and America. The main reason is that the United States has become the primary target of APT attacks because of its developed IT technology, and many high-tech companies are also private, american companies regard the investigation and publication of security incidents as a kind of good faith, while many other countries are rarely used to cover the case after being attacked. Another reason is that, I guess, the United States is advanced in APT detection and defense technology, so that they can detect some APT attacks in time, therefore, the attack process and techniques can be used in combination with forensics at the beginning, while other countries are lagging behind in this aspect and are found to be in a later stage, the attack process and method can only be cleared, but it is difficult to analyze the evidence and trace the source.
APT attacks include:
1) Aurora attacks against more than 30 high-tech companies such as GOOGLE: attackers used FACEBOOK's friend analysis to lock an employee of GOOGLE and one of his friends who liked photography. Attackers intrude into and take control of computers with friends, and then forge a photo server with the IE 0-day attack code, send an IM message to GOOGLE employee as a computer employee to invite him to view the latest photos. The URL actually points to the IE 0DAY page. GOOGLE employees believe that they opened this page and then recruited them. attackers used GOOGLE's employee identity to penetrate into the Intranet until they obtained access permissions from many sensitive users in the GMAIL system. After attackers steal sensitive information in the MAIL system, attackers can transmit data through a valid encrypted channel. According to the post-event investigation, more than 30 high-tech companies in the United States were attacked by this APT attack, even including niubi security vendors such as Symantec.
2) night dragon attack against the US Department of Energy: attackers first collected SQL injection vulnerabilities on WEB servers of many energy departments, attacked and controlled these WEB servers. However, this is not what the attacker wants. On these websites, the attacker places a 0-day Trojan attack code for IE and OFFICE applications on some pages that are accessible to internal personnel, because it is difficult to detect internal sites by Trojan, and the scope of the communication is not large, and it is basically the target. As a result, some personal terminals were quickly settled and penetrated into the Intranet of the Energy Department. Theft and control of a large number of valuable hosts.
3) attack on RSA stealing SECURID token seed: the attacker first takes the mailbox or host of a staff member from a small branch office in RSA, and then takes the identity of this staff member, A financial budget email was sent to the financial director of RSA to request the financial director of RSA to review the email. An EXCEL attachment was attached internally, but a FLASH 0-day exploitation code was embedded in it. The RSA financial supervisor believes that it is a trusted and responsibility for his own work. Therefore, the XCEL attachment was opened, and the attacker successfully controlled the RSA financial supervisor and gradually infiltrated it using the identity of the RSA financial supervisor, finally, the seed of the SECURID token is stolen and sent back to the Controller through the proxy of IE. RSA finds that the seed of the SECURID token is also stolen after being intruded, it is not until attackers use the stolen SECURID token seed to attack multiple American military enterprise RSA to acknowledge that the SECURID token seed has been stolen.
4) network shock attacks against Iran Nuclear Power Plant: the Iran nuclear power plant is a physically isolated network. Therefore, the attacker first obtains information from nuclear power plant staff and their family members, an attack was initiated against hosts of these family members, successfully controlling these family hosts, and then exploiting four WINDOWS 0-day vulnerabilities, it can infect all connected USB mobile media and attack the connected host through USB mobile media. Finally, the ferry attack penetrated into the internal network of the Iranian nuclear power plant protected by strict physical isolation, and finally used three 0DAY vulnerabilities of Siemens to successfully control the control system of the control centrifuge, the centrifuge parameters were modified to ensure normal power generation but that it could not produce any material that made nuclear weapons. However, the manual detection showed that everything was normal. The process of successfully manufacturing nuclear weapons in Iran has been dragged on for several years.
There are also some cases that fall into the APT attack category but have little details or are found at the time of attacks.
1) Locke MARTIN: the attacker used a PDF 0-day embedded in an email and sent it to internal personnel for attack. However, the attacker detected the attack, but did not announce how he detected the PDF 0-day attack.
2) VERISIGN: this year, VERISIGN admitted that it was successfully attacked by hackers, but the former senior management personnel did not know about the incident, VERISIGN insisted that its root certificate for trusted site signature is still secure, but there is no evidence to prove it. If the root certificate of VERISIGN is stolen like the SECURID token seed of RSA, it means that attackers can play any trusted site in the future and initiate man-in-the-middle attacks on encrypted links without being noticed.
3) NASA: NASA admitted that at least 13 hackers had successfully intruded and stolen many core secrets last year, but details of the attacks were not disclosed.
4) Korea Agricultural Association Bank: according to some undisclosed analysis processes, attackers use social workers to view a free online movie coupon (Korean online movies are charged) to the Project Manager of the IBM outsourcing team responsible for the internal system development of the Korea Agricultural Association Bank, the project manager used a work notebook to visit the URL of the movie. The attacker used the notebook as a stepping stone, it has successfully controlled all important systems of the Korea Rural Cooperative Bank and stolen information. Then, during the long-term backup at the bank, the backup was maliciously damaged, but the backup was successful. The last outbreak occurred, deleting all the data and then retreating. The bank tried to use the Backup Recovery System to find that all recent backups were damaged, resulting in a large amount of data being unable to be synchronized, causing heavy losses.
Of course there are some reported APT attack cases, which will not be listed here. But in general, APT attacks always rely on:
1) the attacker understands the information of the victim, which is a prerequisite for formulating social engineering and attack policies;
2) Targeted 0-day vulnerabilities, which are a powerful tool to break through the current protection system and some security personnel;
3) targeted protection against Trojans and behaviors, especially anti-virus, HIPS, and network audit Products