Group Behind 'Aurora' Attack on Google Still Active

New submitter trokez writes "Symantec has monitored the activities of a group using a specific trojan (Hydraq/Aurora) since 2009. The particular group has been connected (by Symantec) to the attack on Gmail in China, but also other high-profile attacks. 'These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform." The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits.' The attacks seems to focus on industry espionage, with the defense industry and its suppliers at the focus."

RSA Hack

[Anonymous Coward]

Yea, we saw this with the RSA hack, basically it's going up the supply chain to exploit suppliers of big companies/the government. In the RSA hack they actually made it look like it was coming from an RSA supplier, and spoofed an email with the THIRD version of an excel spreadsheet that contained a zero day exploit. The Chinese, they're good at this.

Microsoft Windows only ..

[dgharmon]

"The PDF file attached to the email exploits the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID 43057). It uses a technique known as return-oriented programming (ROP) to bypass Data Execution Prevention (DEP), using code in the icucnv36.dll [symantec.com] module."