RSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.
The much-discussed attack on RSA, which the company revealed last month, resulted in the company warning customers that the security of their SecurID authentication tokens may be reduced. Speculation about the exact nature of the attack has been rampant in the security community ever since the disclosure, and RSA has been quite tight-lipped about the details of the incident.
But on Friday the company briefed analysts about the details of the attack and then published a series of explanatory blog posts that spilled some, but not all, of the specifics about the incident.
“The attacker in this case sent two different phishing emails over a
two-day period. The two emails were sent to two small groups of
employees; you wouldn’t consider these users particularly high profile
or high value targets. The email subject line read ‘2011 Recruitment
Plan,” Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack.
“The email was crafted well enough to trick one of the employees to
retrieve it from their Junk mail folder, and open the attached excel
file. It was a spreadsheet titled ‘2011 Recruitment plan.xls.’
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).”
An RSA spokesman confirmed that the blog posts and attack details were authentic.
What Rivner described–and what RSA apparently detailed for industry analysts–is
the textbook definition of a targeted phishing attack. What the
attacker goes after and obtains once inside the compromised network
largely depends on which user he was able to fool and what that victim’s
access rights and position in the organization are.
The malware that the attacker installed was a variant of the well-known Poison Ivy remote administration tool, which then connected to a remote machine. Rivner, as well as other RSA employees in their own posts, discussed the attack as an example of an APT (advanced persistent threat), although the method was essentially a spear phishing attack. The emails were sent to what Rivner said was a small group of RSA employees, at least one of whom pulled the message out of a spam folder, opened it and then opened the malicious attachment.
“Having set remote access, now the attacker in a typical APT starts
digital shoulder surfing to establish the employee’s role and their
level of access. If this isn’t sufficient for the attackers’ purpose,
they will seek user accounts with better, more relevant, privileges,” Rivner said.
“When it comes to APTs it is not about how good you are once inside,
but that you use a totally new approach for entering the organization.
You don’t bother to just simply hack the organization and its
infrastructure; you focus much more of your attention on hacking the
The description of the attacker’s tactics once inside RSA’s network is quite similar to what security researchers say are common techniques used to obtain, package up and exfiltrate sensitive data.
“The attacker first harvested access credentials from the compromised
users (user, domain admin, and service accounts). They performed
privilege escalation on non-administrative users in the targeted
systems, and then moved on to gain access to key high value targets,
which included process experts and IT and Non-IT specific server
administrators,” Rivner said in his description of the attack.
“The attacker in the RSA case established access to staging servers at
key aggregation points; this was done to get ready for extraction. Then
they went into the servers of interest, removed data and moved it to
internal staging servers where the data was aggregated, compressed and
encrypted for extraction. The attacker then used FTP to transfer many password protected RAR
files from the RSA file server to an outside staging server at an
external, compromised machine at a hosting provider. The files were
subsequently pulled by the attacker and removed from the external
compromised host to remove any traces of the attack.”