Verizon: RSA Hackers Using Trojans, Keyloggers In Second Wave Attacks

Customers of EMC’s RSA Security division that are worried about being the victim of an attack following the theft of sensitive data relating to that company’s SECURID tokens may not need to rush out and replace those tokens, according to security consulting firm Verizon Business. 

Customers of EMC’s RSA Security division that are worried about being the victim of an attack following the theft of sensitive data relating to that company’s SECURID tokens may not need to rush out and replace those tokens, according to security consulting firm Verizon Business. 

Efforts to stop spear phishing e-mail attacks and limit access to corporate networks from unknown devices may be enough to thwart sophisticated second wave attacks by those who made off with the SECURID secrets, giving companies more time to replace the compromised tokens, Verizon said in a blog post on Thursday
The prospect of follow on attacks that used the stolen SecurID data were raised almost immediately. RSA warned customers about the likelyhood of follow on attacks in March, shortly after the breach was disclosed. Soon after, reports surfaced of attacks against SECURID customers in the defense industrial base, including an attempted hack of defense giant Lockheed Martin that was linked to the theft of the SECURID technology. The attacks are believed to be part of a larger operation with links to the People’s Republic of China. 

Around three quarters of the confirmed and unconfirmed cases believed to be secondary attacks following the theft of SecurID information were found to use key loggers to gather data such as the host users authenticate from, their user ID and PIN and ephemeral token output that – along with the information stolen from EMC/RSA – could be used to clone SECURID tokens, Verizon said. 

The blog post, by Verizon Business analyst Dave Kennedy, provides guidance to the company’s customers in the wake of the hack. Kennedy said that customers who have previously been targeted by the RSA hackers, or who have experienced sophisticated attacks from “state-sponsored actors” should move with urgency to replace their SECURID installations. Most customers should plan to replace their existing SecurID installation, but probably don’t need to rush to do so, Kennedy wrote.

While not providing any new information on the attack, Kennedy said it was likely linked to “nation-state motivated attackers” and that the most likely targets of second wave attacks are firms in the defense industrial base, such as Lockheed Martin, Northrop Grumman, as well as known targets like the IMF. Others who should worry are government departments,researchers and “companies with aggressive international competition.”
All SECURID users need be on the lookout for suspicious e-mail and unusual login activity that may indicate a SECURID account has been compromised. The company said that targeted “spear phishing” e-mail outfitted with Trojan horse programs were used in most of the follow on attacks stemming from the RSA breach. Those include the one confirmed attacks on Lockheed Martin, and attacks on L3 Communications and the IMF that are suspected of being linked to the breach at RSA. 

In the wake of follow-on attacks, RSA has faced pressure from customers to replace all the compromised tokens. However, the firm has maintained that such a step is unnecessary, while also agreeing to replace tokens for affected customers who request it. 

Suggested articles