Phishing and Flash flaw bagged RSA

By Liam Tung on Apr 4, 2011 8:34 AM
Filed under Security

RSA "don't eat own dog food".

The hackers who breached RSA last month snuck in using a booby-trapped Excel file labelled ‘2011 Recruitment Plan’ that was emailed to low-level staff, according to the EMC security division.  

The first phase of a three-stage assault targeted two small groups within RSA that “you wouldn’t consider ... particularly high value”, according to Uri Rivner, head of new technologies at RSA. 

The email went staight to the Junk box, but one staff member found it “intriguing enough” to retreive it and open the attachment, which installed the "Poison Ivy" remote access tool (RAT) through a now-patched Adobe Flash vulnerability.

Rivner did not expand on RSA’s previous disclosure that the hackers accessed enough information on its SecurID two-factor authentication to weaken its implementation, but not enough to launch a direct attack on customers.

The Poison Ivy RAT was a variant of the GhostNet RAT that was used in 2009 against The Tibetan Government in Exile, Rivner noted. 

In a similar fashion, the attackers moved up the organisation’s ranks after harvesting lower user domain administration and service account credentials. 

“They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators,” he said. 

Despite its wealth of fraud detection technologies, the security vendor only noticed the attack during the third and final "extraction" stage, which he said may have forced the attackers to rush, but was too late to prevent the theft. 

“Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction,” said Riven. 

“The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.”

Riven defended RSA’s handling of the attack, highlighting that many organisations don’t discover what's occurred until months afterwards, but Gartner analyst Aviva Litan criticised RSA for failing to “eat their own dog food”.

“They gave a lot of credit to NetWitness [a company RSA is rumoured to be near acquiring] for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time,” she said.

Follow us on Facebook and Twitter

Copyright © . All rights reserved.


Phishing and Flash flaw bagged RSA
Top Stories
Revealed: winners and losers in 'brutal' cloud market
Inside Gartner's IaaS magic quadrant.
UXC Connect cloud manager joins Alcatel-Lucent Enterprise
Steve Saunders departs UXC Connect after 15 years.
Bank of Queensland hands four-year print deal to Lexmark
Bank moves from multi-vendor approach to single supplier.
Sign up to receive CRN email bulletins
Should Australian companies be given preference for government contracts?

Latest Comments
CRN Magazine

Issue: 338 | May 2015

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.