Operation Aurora - Other Zero-Day Attacks targeting finance and Energy

The Aurora Trojan horse is just one of many attacks by same group of malware authors over past 3 years using Edgewood hacking platform & know many 0-day

The infamous Aurora Trojan horse is just one of many attacks launched by the same group of malware authors over the past three years, according to researchers at Symantec.

Security researchers with Symantec have issued a report outlining the techniques used by the so-called “Edgewood” hacking platform and the group behind it. The group seemingly has an unlimited supply of zero-day vulnerabilities.

The company said that the group is well-funded and armed with more than a half-dozen unpublished security vulnerabilities. “They are definitely shifting their methodology, and there are open questions about why that is,” said Eric Chien, senior technical director for Symantec’s security response group. “They may be finding that older techniques are no longer working.”

The number of zero-day exploits used indicates access to a high level of technical capability.“The researchers said that the group appears to favour “watering hole” attacks techniques in which the attacker profiles a targeted group and places attack code into sites which the targets are likely to visit.

Here are just some of the most recent exploits that they have used:

  • Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
  • Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
  • Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
  • Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)

Operation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010. In the blog post, Google said the attack originated in China.

The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack.The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace  have publicly confirmed that they were targeted.

The security firm has published details in a 14-page research report titled “The Elderwood Project”.

The first thing that stands out in the report is that the vast majority of detections are in the US. In the last year, Symantec detected 677 files used by the Elderwood gang in the US. Rounding out the top five is Canada with 86 files, China with 53, Hong Kong with 31, and Australia also with 31.