Attack on RSA used zero-day Flash exploit in Excel

RSA blog details how the security firm was compromised but still does not say what data was stolen.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
RSA released this illustration that shows step-by-step how it was attacked.
RSA released this illustration that shows step-by-step how it was attacked. RSA

The breach at RSA that could compromise the effectiveness of the firm's two-factor authentication SecurID tokens was accomplished via phishing e-mails and an exploit for a previously unpatched Adobe Flash hole, RSA has revealed.

The attacker sent two different phishing e-mails over a two-day period last month with a subject line of "2011 Recruitment Plan" to two small groups of employees who weren't considered particularly high-profile or high-value targets, Uri Rivner, head of new technologies in consumer identity protection at RSA, wrote in a blog post. Attached to the e-mails was an Excel file that contained malware that exploited a hole in Adobe Flash and which installed a backdoor that allowed the attacker to remotely take control of the computer, he wrote.

Adobe fixed the vulnerability after RSA's announcement, without mentioning that it was used in the RSA attack. (RSA had revealed the breach last month but did not disclose details on the attack until late last week.)

"The attacker in this case installed a customized remote administration tool known as Poison Ivy RAT (remote administration tool) variant," Rivner wrote. "Often these remote administration tools, the purpose of which is simply to allow external control of the PC or server, are set up in a reverse-connect mode: this means they pull commands from the central command & control servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to detect, as the PC reaches out to the command and control rather than the other way around."

The type of attack RSA was hit with is known as an "Advanced Persistent Threat" (APT). Such attacks are often used to target source code and other information useful in espionage, and they involve knowledge of the company's operations, network, and employees and their roles. With APTs, attackers often have months to snoop around the network and gather information. But RSA stopped this attack early on, although the attacker still had time to "identify and gain access to more strategic users," Rivner said. "Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase," he added.

"The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators," he said.

The RSA attacker then copied targeted data and moved it to servers inside the company where it was aggregated, compressed, and encrypted and then sent to a server at a hosting provider that had been compromised, according to Rivner. The File Transfer Protocol (FTP) was used to transfer "many" password-protected RAR (Roshal Archive) files from the RSA file server to the outside server before they were removed to remove any traces of the attack, according to Rivner.

As interesting as the blog post is on how the attack was accomplished, it leaves out the most important information about the attack: what data was stolen. This is the key information that SecurID customers need to assess their risk and decide what to do to protect their networks.

Initially, experts speculated that a database containing unique numbers for each token was stolen, but that information would still need to be combined with a secret key, called a "seed," to generate the one-time passcodes that flash on the tokens. An attacker would have to somehow predict the seed, as well as know the password associated with the user. RSA has been mum about this information which could hint at its secret sauce.

Chris Wysopal, chief technology officer at application security firm Veracode, said several information security professionals he has talked to whose companies use SecurID were told by RSA that there is an algorithm that maps the serial number of the token to the seed and that that algorithm was stolen by the attackers. "The risk here is any way the attackers can get access to a serial number they can get access to the seed," Wysopal said in an e-mail. "The serial numbers used by an organization might not be well protected."

In a follow up telephone interview with CNET today, Wysopal said he has not been able to verify that information with RSA. "But it makes sense to me. If it's a design weakness they wouldn't want to talk about it," he said. "We haven't been able to confirm it, but as an RSA customer ourselves it's something we are bringing into our threat model" for figuring out how to best secure the network.

An RSA spokesman declined to comment beyond what the company has said in its public announcements and blog posts. RSA has also released this post in which Mischel Kwon, RSA consultant and former deputy director for IT Security Staff at the U.S. Department of Justice, commends the company on how it has responded to the incident and notified customers.

RSA has sent security advisory notes to 60,000 customers, briefed 15,000 customers, and had one-on-one briefings with hundreds of customers in sensitive industries who have signed non-disclosure agreements to talk more specifically about how they can best protect themselves, a source close to RSA told CNET.