Google Aurora Attackers Behind Internet Explorer Zero-Day Attacks

Ongoing attacks targeting an Internet Explorer zero-day vulnerability have been linked to a cybercrime gang responsible for the Google Aurora attacks in 2009.

Researchers at Symantec said it found similarities in the techniques and files used in the latest round of attacks to those used by the Elderwood group, responsible for highly targeted campaigns over the last several years.

The group, believed to be based in China, has targeted U.S. defense contractors and their partners in the supply chain, including manufacturers of mechanical components. It uses spear phishing to lure specific employees to a malicious site to infect their system. Once the system is infected, the Elderwood attackers remotely gain control, using it as a stepping stone to more sensitive corporate data.

[Related: Attackers Target Internet Explorer Zero-Day Flaw ]

id
unit-1659132512259
type
Sponsored post

"They are responsible for compromising numerous websites, corporations and individuals over the past three years," Symantec said in a report it issued on the Elderwood group earlier this year. "This group is focused on wholesale theft of intellectual property and clearly has the resources, in terms of manpower, funding and technical skills, required to implement this task."

Intellectual property theft has been a rising concern voiced by government officials and prominent security experts who believe that successful attacks are not likely being publicly reported by companies. Well-funded, sophisticated attackers can infiltrate corporate systems and remain stealthy for months and even years. Former White House Cybersecurity Coordinator Howard Schmidt called it a serious national security concern. The Securities and Exchange Commission attempted to increase transparency of the issue in 2011 when it issued a new rule making public companies disclose a data breach or potential breach when it may have an increased risk or financial impact on corporate earnings.

"We believe that there's a tremendous amount of corporate cybercrime and espionage going on that most of the industry doesn't know about," said George Tubin, a senior security strategist at Boston-based security firm Trusteer. "Once your intellectual property is gone in electronic form, it's gone forever."

NEXT: Latest attacks target a number of firms

Researchers first detected the latest round of attacks coming from the Council on Foreign Relations website. Since then, several other sites have been found to be infected with the watering-hole-style attack, including the Capstone Turbine Corporation, a maker of power generation systems.

The remote code execution vulnerability affects Internet Explorer 6, 7 and 8. The attackers use the attack technique to bypass security restrictions designed to prevent malicious code from executing in memory.

Microsoft responded on Jan. 2, issuing an automated, temporary patch while it works on a permanent fix to the coding error. The company indicated on Thursday that it did not have plans to patch Internet Explorer next Tuesday during its regularly scheduled patching cycle.

Despite no indication of a patch next week, patching administrators should not rule out an emergency security update fixing the issue, said Graham Cluley, a senior technology consultant at U.K.-based Sophos.

"Considering the lack of time Microsoft has had to work on and test a fix, the availability of workarounds, and the relatively low level of activity, it wouldn't be a surprise if they didn't manage to include it," Cluley said. "We would, however, not be surprised if Microsoft issued an out-of-band fix before the regular February rollout of patches."

PUBLISHED JAN. 4, 2013