Sophos Cloud Optix
Many readers will have seen the press around a series of hacking attacks that have been labelled the ‘Operation Night Dragon’ attacks by McAfee. In this post I will attempt to answer some of the more common questions we have been receiving from customers on this topic.
What is the Night Dragon attack?
To date, there has not been a specific family of malware known as ‘Night Dragon’. Instead, the term has been used to label a series of attacks against various organisations since November 2009, all of which have followed a similar modus operandi. In the McAfee report, the attacks were described to be targeted, using techniques such as social engineering and spear phishing. The purpose of the attacks appears to be penetration of corporate networks in order to extract sensitive data.
How do these attacks work?
The attacks use a variety of components – there is no single piece or family of malware responsible.
The first stage of the attack involves penetration of the target network, ‘breaking down the front door’ if you like. Techniques such as spear phishing and SQL injection of public facing web servers are reported to have been used. Once in, the attackers then upload freely available hacker tools onto the compromised servers in order to gain visibility into the internal network. The internal network can then be penetrated by typical penetration methods (accessing Active Directory account details, cracking user passwords etc) in order to infect machines on the network with remote administration tools (RATs).
Am I protected against these attacks?
There are several components used in these attacks, many of which are available from Chinese hacker web sites. As such, there are various detection names associated with this threat. From the details shared thus far around the binaries believed to be involved in these attacks, most of the core components are detected by Sophos products as Mal/Generic-L.
For clarity, we have since published the Troj/NDragon-A and Mal/NDragon-A detections to group the various components together, the latter genotype detection providing generic detection for other variants that are likely to be in the wild.
Detection for some other components used in the attacks has been added as Troj/Redsip-A and Mal/Redsip-A.
The available details suggest that in addition to the above malware, various legitimate tools were used in the attacks (e.g. SysInternals tools). Sophos customers are able to use potentially unwanted application (PUA) and application control (AppC) detections to fully manage the use of such tools within their environment. These tools can include software that is legitimate, but that you really do not want to allow being run on your network (for example, IP scanning, password recovery and remote administration tools).
The one thing clear from the Night Dragon attacks, is that the use of PUA and AppC detections should not be dismissed. Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit.
Are these attacks targeted?
Again, at this point, we can only speculate based on the information provided in the report. It could well be that the attacks are targeted against specific organisations. Equally, could it be the case that widespread networks have been hit in a similar fashion? That the high profile organisations listed are just the ones where the attack has actually been detected and reported? After all, we are more than familiar with SQL injection techniques being used in an automated fashion to compromised large numbers of web servers.
Why is it important if the attacks were targeted or not? In my opinion, it is a matter of perception. It is important that we do not regard this type of attack as likely to only ever be targeted against high profile, large organisations. All organisations should learn from this report and ensure they have adequate layered protection across their network. User education is important as well – to avoid social engineering providing the route through the front door.
Is this related to Operation Aurora?
I am sure some will speculate that it is! (Just don’t mention the S*****t word!) The truth is, without further information about the source of the attacks it is impossible to tell whether the Night Dragon attacks are related to Aurora at all. The style of attack may be similar (breach the perimeter using whatever means necessary, and then penetrate the internal network to find and extract the required data), but we cannot read too much into what is a very standard form of attack.
Concluding comments
The bottom line from this report is that all organisations must take note of the risk that today’s cybercriminals can pose. The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organised groups against specific organisations, with the goal of extracting sensitive data.
The truth is that this week is no different to last – there is no new outbreak, vulnerability or risk of infection. Instead, the attacks illustrate the background crimeware menace that all organisations face.