'Tricked' RSA Worker Opened Backdoor to APT Attack

APT Presents New Attack Doctrine Built to Evade Existing Defenses

By , April 4, 2011.
'Tricked' RSA Worker Opened Backdoor to APT Attack

A

See Also: I Found an APT: Now What? Operationalizing Advanced Threat and Breach Response

well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems, a top technologist at the security vendor says in a blog.

An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.

RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach (see RSA Says Hackers Take Aim At Its SecurID Products). An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. Rivner's blog is the first substantial public comment on the breach since Coviello's statement.

RSA on Monday also announced it is acquiring Netwitness, the network security company that provides real-time network forensics and automated threat analysis solutions. In a statement, Netwitness founder and CEO Amit Yoran alluded to the breach: "Recent events reinforce the passion and commitment we have shared for years - to help you combat zero-day attacks, targeted and advanced threats, and other sophisticated security problems."

Netwitness technology and personnel helped identify the APT attack as it progressed, enabling RSA to launch an aggressive defense, an individual close to RSA says. But the breach had nothing to do with the acquisition; negotiations between RSA and Netwitness began before March 17.

According to Rivner, the exploit injected malicious code into the employee's PC, allowing full access into the machine. The attacker installed a customized variant of a remote administration tool known as Poison Ivy, which has been used in APT attacks against other companies. Such tools set up a reverse-connect model, which Rivner explains pulls commands from the central command and control servers, then execute the commands, rather than getting commands remotely, making them harder to detect.

Rivner's analysis of the breach determined the attacker had sent two different phishing e-mails over a two-day period to two small groups of RSA employees. "You wouldn't consider these users particularly high profile or high value targets," he says. Once inside, the attacker sought out employees with great access to sensitive information. "When it comes to APTs, it is not about how good you are once inside, but that you use a totally new approach for entering the organization," Rivner says. "You don't bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees."

The RSA official says the attacker initially harvested access credentials from the compromised employee and performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.

"If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while," Rivner says. "If they think they run the risk of being detected, however, they move much faster and complete the third, and most 'noisy' stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase."

Rivner says the goal of the attacker is to extract information. In this assault, he says, the attacker gained access to staging servers at key aggregation points to prepare for extraction. Next, the attacker accessed servers of interest, moving data to internal staging servers to be aggregated, compressed and encrypted for extraction. Then, the attacker used file transfer protocol to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Flash Targeted by Zero-Day Exploit

Adobe confirms that a zero-day flaw exists in its Flash browser plug-in and promises to soon...

Latest Tweets and Mentions

ARTICLE Flash Targeted by Zero-Day Exploit

Adobe confirms that a zero-day flaw exists in its Flash browser plug-in and promises to soon...

The ISMG Network