Phishing and Flash flaw bagged RSA

By Liam Tung on Apr 4, 2011 8:34 AM
Filed under Security

RSA "don't eat own dog food".

The hackers who breached RSA last month snuck in using a booby-trapped Excel file labelled ‘2011 Recruitment Plan’ that was emailed to low-level staff, according to the EMC security division.  

The first phase of a three-stage assault targeted two small groups within RSA that “you wouldn’t consider ... particularly high value”, according to Uri Rivner, head of new technologies at RSA. 

The email went staight to the Junk box, but one staff member found it “intriguing enough” to retreive it and open the attachment, which installed the "Poison Ivy" remote access tool (RAT) through a now-patched Adobe Flash vulnerability.

Rivner did not expand on RSA’s previous disclosure that the hackers accessed enough information on its SecurID two-factor authentication to weaken its implementation, but not enough to launch a direct attack on customers.

The Poison Ivy RAT was a variant of the GhostNet RAT that was used in 2009 against The Tibetan Government in Exile, Rivner noted. 

In a similar fashion, the attackers moved up the organisation’s ranks after harvesting lower user domain administration and service account credentials. 

“They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators,” he said. 

Despite its wealth of fraud detection technologies, the security vendor only noticed the attack during the third and final "extraction" stage, which he said may have forced the attackers to rush, but was too late to prevent the theft. 

“Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction,” said Riven. 

“The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.”

Riven defended RSA’s handling of the attack, highlighting that many organisations don’t discover what's occurred until months afterwards, but Gartner analyst Aviva Litan criticised RSA for failing to “eat their own dog food”.

“They gave a lot of credit to NetWitness [a company RSA is rumoured to be near acquiring] for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time,” she said.

 
Follow us on Facebook and Twitter
 

Copyright © iTnews.com.au . All rights reserved.

Phishing and Flash flaw bagged RSA
 
 
 
 
 
Top Stories
Aussie Intercloud push: Data#3, Infront and Ethan join
Local systems integrators among Cisco's 30 global partners.
 
iiNet and Dodo in hot water over billing conduct
ACMA targets direct debit practices.
 
Reseller caught pretending to be Telstra partner
ACCC canes Zen Telecom with $225,000 fine.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
What's the best protection against bad debts?



Latest Comments
CRN Magazine

Issue: 331 | September 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.