Phishing and Flash flaw bagged RSA

Powered by SC Magazine
 

RSA "don't eat own dog food".

The hackers who breached RSA last month snuck in using a booby-trapped Excel file labelled ‘2011 Recruitment Plan’ that was emailed to low-level staff, according to the EMC security division.  

The first phase of a three-stage assault targeted two small groups within RSA that “you wouldn’t consider ... particularly high value”, according to Uri Rivner, head of new technologies at RSA. 

The email went staight to the Junk box, but one staff member found it “intriguing enough” to retreive it and open the attachment, which installed the "Poison Ivy" remote access tool (RAT) through a now-patched Adobe Flash vulnerability.

Rivner did not expand on RSA’s previous disclosure that the hackers accessed enough information on its SecurID two-factor authentication to weaken its implementation, but not enough to launch a direct attack on customers.

The Poison Ivy RAT was a variant of the GhostNet RAT that was used in 2009 against The Tibetan Government in Exile, Rivner noted. 

In a similar fashion, the attackers moved up the organisation’s ranks after harvesting lower user domain administration and service account credentials. 

“They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators,” he said. 

Despite its wealth of fraud detection technologies, the security vendor only noticed the attack during the third and final "extraction" stage, which he said may have forced the attackers to rush, but was too late to prevent the theft. 

“Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction,” said Riven. 

“The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.”

Riven defended RSA’s handling of the attack, highlighting that many organisations don’t discover what's occurred until months afterwards, but Gartner analyst Aviva Litan criticised RSA for failing to “eat their own dog food”.

“They gave a lot of credit to NetWitness [a company RSA is rumoured to be near acquiring] for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time,” she said.

Copyright © iTnews.com.au . All rights reserved.


Phishing and Flash flaw bagged RSA
 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1051

Vote