Friday, April 1, 2011

RSA - Anatomy of an Attack

Via -

Turns out the targeted attack that breach that exposed RSA's SecurID technology started with one of the oldest tricks in the book—a phishing email with an infected attachment, according to new details revealed today by RSA and security analysts.


RSA said two different phishing emails were sent to two small groups of low-level users received emails with the subject line "2011 Recruitment Plan" with an Excel attachment that was rigged with the newly patched Adobe Flash zero-day [CVE-2011-0609], which was seen in limited targeted attacks earlier this month by Adobe.

"The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file," said Uri River, head of new technologies, consumer identity protection, at RSA, The Security Division of EMC in a blog post today.

The attack then installed a Poison Ivy variant for remotely controlling the infected machine "in a reverse-connect mode that makes it more difficult to detect as the PC reaches out to the command and control rather than the other way around," River blogged.

The exploit, a Trojan, stole user credentials from RSA employees, including IT staff, and eventually gained privileged access to the targeted system, according to Avivah Litan, vice president and distinguished analyst with Gartner.


RSA's River said the attacker first harvested access credentials--user, domain admin, and service accounts. "They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators," he blogged.

"The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction," he said.

Password-protected RAR files were transferred via FTP from the RSA file server to an external machine that had been compromised at a hosting service provider. "The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack," he said.


On March 16, FireEye examined one of the XLS file, which contained the Adobe 0day and determined that a known Chinese threat actor, called 'linxder', might have been involved. At the time, the companies targeted with this malware were not known - it would appear RSA was one of those companies.

Trojan.Linxder and the Flash 0-day (CVE-2011-0609)

No comments:

Post a Comment