Autopsy of RSA Attack

From the Security Site at ITPRO

The RSA hack was months ago now, but the file and email which helped compromised the security giant has just been found.

By Tom Brewster, 26 Aug 2011 at 15:36

F-Secure believes it has discovered the file and the email which helped crack EMC’s security arm RSA, in what became one of the most famous hacks in history earlier this year.

 

Timo Hirvonen, an F-Secure analyst, doggedly pursued the XLS file used to hack RSA even after others had given up the chase. Hirvonen created a tool to analyse samples for a Flash object, which was used to exploit the target’s system.

“The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG),” an F-Secure blog read.

“When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3 March, complete with the attachment 2011 Recruitment plan.xls. After five months, we finally had the file. And not only that, we had the original email.”

The email which was sent to a single EMC employee, with two others CC’d in, was made to look like it came from Beyond.com, a career network.

The subject line read “2011 Recruitment plan” and the body copy contained just one line: “I forward this file to you for review. Please open and view it.”

Once the file was opened the Flash object was executed by Excel, using a vulnerability to write code on the victim’s machine and then drop a Poison Ivy backdoor to the system. Excel is then closed automatically and the infection is done.

What we think…

It’s clear the email which duped EMC was pretty simple. Certainly it would be unadvisable to trust an email which contains just a single line.

This only emphasises the need for further education amongst workforces about spear phishing. It seems even workers at security firms aren’t getting the message, which would be laughable if the connotations of the RSA hack weren’t so serious.

Tom Brewster, Senior Staff Writer

“After this, Poison Ivy connects back to it’s server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time,” F-Secure said.

“Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.”

As F-Secure noted, the attack itself did not appear to be hugely sophisticated, although as the vulnerability was a zero-day there was no way RSA could have protected itself by patching.

“Was this an advanced attack? The email wasn’t advanced. The backdoor they dropped wasn’t advanced. But the exploit was advanced,” F-Secure added.

“And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we’d say the attack is advanced, even if some of the interim steps weren’t very complicated.”

The hackers who went after RSA wanted the company’s SecureID information so they could hit US Government contractors, including Lockheed Martin.

Following the Lockheed attacks, RSA offered token replacement for customers “with concentrated user bases typically focused on protecting intellectual property and corporate networks.”

Leave a Reply