Send to Kindle

Excel flashRSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.

The much-discussed attack on RSA, which the company revealed last month, resulted in the company warning customers that the security of their SecurID authentication tokens may be reduced. Speculation about the exact nature of the attack has been rampant in the security community ever since the disclosure, and RSA has been quite tight-lipped about the details of the incident.

But on Friday the company briefed analysts about the details of the attack and then published a series of explanatory blog posts that spilled some, but not all, of the specifics about the incident.

“The attacker in this case sent two different phishing emails over a
two-day period. The two emails were sent to two small groups of
employees; you wouldn’t consider these users particularly high profile
or high value targets. The email subject line read ‘2011 Recruitment
Plan,” Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack.

“The email was crafted well enough to trick one of the employees to
retrieve it from their Junk mail folder, and open the attached excel
file. It was a spreadsheet titled ‘2011 Recruitment plan.xls.’

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).”

An RSA spokesman confirmed that the blog posts and attack details were authentic.

What Rivner described–and what RSA apparently detailed for industry analysts–is
the textbook definition of a targeted phishing attack. What the
attacker goes after and obtains once inside the compromised network
largely depends on which user he was able to fool and what that victim’s
access rights and position in the organization are.

The malware that the attacker installed was a variant of the well-known Poison Ivy remote administration tool, which then connected to a remote machine. Rivner, as well as other RSA employees in their own posts, discussed the attack as an example of an APT (advanced persistent threat), although the method was essentially a spear phishing attack. The emails were sent to what Rivner said was a small group of RSA employees, at least one of whom pulled the message out of a spam folder, opened it and then opened the malicious attachment.

“Having set remote access, now the attacker in a typical APT starts
digital shoulder surfing to establish the employee’s role and their
level of access. If this isn’t sufficient for the attackers’ purpose,
they will seek user accounts with better, more relevant, privileges,” Rivner said.

“When it comes to APTs it is not about how good you are once inside,
but that you use a totally new approach for entering the organization. 
You don’t bother to just simply hack the organization and its
infrastructure; you focus much more of your attention on hacking the
employees.”

The description of the attacker’s tactics once inside RSA’s network is quite similar to what security researchers say are common techniques used to obtain, package up and exfiltrate sensitive data.

“The attacker first harvested access credentials from the compromised
users (user, domain admin, and service accounts). They performed
privilege escalation on non-administrative users in the targeted
systems, and then moved on to gain access to key high value targets,
which included process experts and IT and Non-IT specific server
administrators,” Rivner said in his description of the attack.

“The attacker in the RSA case established access to staging servers at
key aggregation points; this was done to get ready for extraction. Then
they went into the servers of interest, removed data and moved it to
internal staging servers where the data was aggregated, compressed and
encrypted for extraction. The attacker then used FTP to transfer many password protected RAR
files from the RSA file server to an outside staging server at an
external, compromised machine at a hosting provider. The files were
subsequently pulled by the attacker and removed from the external
compromised host to remove any traces of the attack.”

Send to Kindle
Categories: Cryptography, Data Breaches, Malware, Vulnerabilities

Comments (24)

  1. David
    1

    When the person was fooled into opening the attached file would it have made any difference(assuming they were running Windows XP) as to whether they were logged on with a limited account as opposed to an Administrator account?

  2. david
    3

    david, yes and no.. once the attacker is on that first system, they can wait days or weeks for the ideal moment which will eventually come.. internal office networks are a security nightmare.. an open file share here.. cached admin credentials there.. a still functional windows 2000 box or two.. it doesnt take much to turn a small compromise into a full compromise..

  3. Anonymous
    4

    Aint Flash Great? I wish that Adobe would fix the security nightmare that is flash.

  4. Anonymous
    5

    This attack clearly may have resulted in a cascade failure, i.e. one or more previously identified high-value targets compromised within seconds or minutes of extraction of the data.

  5. Owen Davies
    6

    Compromising an office windows machine is not difficult, what is interesting is how they then managed to escalate that to a level to be able to compromise servers. A decent architecture is usually run in a way where you amuse the office computers are compromised, and have your servers on a separate network with different login credentials.

  6. paul
    7

    I wish Adobe would just pull flash.  Its entire life span has proved that its not to be trusted.  Every time Adobe splurt out “its safe, weve done X and Y and sandboxed it” we wait a week and there is a 0 day system access exploit.  Its one peice of software that should be outlawed.

    RSA of all companies should have pounded this type of attack deep into the memories of every employee, completely unexcusable.

    “Do as we say, not as we do”

  7. Ron
    8

    Its entire life span has proved that its not to be trusted.

    How is that different from Windows?

    Its one peice of software that should be outlawed.

    Yes, Windows should be outlawed.

    And people should prove that they are competent to use computers before they are allowed on a network.  (Except who do you trust to create a competent test that doesn’t ignore Unix/Linux and how would you then restrict access only to competent users?).

  8. durka
    9

    so if the attacker was using compressed and passworded rar files for ex filtration objectives in the rsa attack, my question is why hasn’t the company implemented their own DLP solution to stop such items from leaving their own netw

  9. terry
    10

    I think there is a slight difference between an OS of several gigabytes in size when compared to a 400kb application that demands access beyond what it needs, none.

  10. Anonymous
    11

    Seriously?  NetWitness?  NetWitness did absolutely nothing in this situation, and proved worthless for RSA Security.

  11. Jonas
    12

    I’m sure flash is an essential application at a security company such as RSA. I’m glad they take IT security so seriously.

  12. Anonymous
    15

    Attack the weakest link, PICNIC !

    To be fair, why is any employee using flash ?
    Youtube IS NOT WORK RELATED !
    Boucing Bunnies IS NOT WORK RELATED !

    Why would any employer allow employees to use it, workers are there to work not waste time.

  13. Mememe
    16

    Sometimes, flash is even required. I don’t agree with it, but that’s how it is. Some webapps work with Flash. And I don’t mean a simple dropbox, nope, just have a look at Hitachi’s new Command Suite. It’s 95% flash with some java thrown in.

    It’s not because you have Flash that it means you watch YT videos. YT would probably have been blocked anyway ;)

  14. Anonymous
    17

    So there wasn’t any breach in RSA ?! A PR stunt to justify buying NetWitness? Or pushing Envision product line perhaps.

  15. Dennis Fisher
    21

    Apparently they did have a NetWitness deployment in place, which saw the attack as it was occurring. It’s not clear how far into the operation the bad guys were before RSA figured it out, though.

  16. Anonymous
    22

    DLP can’t solve that problem.  No DLP can’t inspect password protected RAR files, whether it’s Vontu, RSA, or any other.  The best it can do was say that a password protected RAR file was sent.  Then again, maybe this user was supposed to be sending password protected RAR files in which case it would look like an ordinary day at work instead of a breach.  Who is to say this same stuff isn’t happening at Symantec, McAffee, IBM, or any other security vendor.  Difference is that RSA detected it and chose to let their customers know about it.  As an RSA customer, I am concerned, but I am confident my SecurID is still effectie, and I appreciate their notification. 

  17. Rbaker
    24

    Not correct, DLP can be configured to prevent exactly this scenario. In this case, the DLP tool should be configured to block any encrypted (non-inspectible) file from passing through any egress point. It is disruptive to the ad hoc business processes that most firms rely on, but it has become absolutely mandatory.

Comments are closed.