Phishing and Flash flaw bagged RSA

Powered by SC Magazine
 

RSA "don't eat own dog food".

The hackers who breached RSA last month snuck in using a booby-trapped Excel file labelled ‘2011 Recruitment Plan’ that was emailed to low-level staff, according to the EMC security division.  

The first phase of a three-stage assault targeted two small groups within RSA that “you wouldn’t consider ... particularly high value”, according to Uri Rivner, head of new technologies at RSA. 

The email went staight to the Junk box, but one staff member found it “intriguing enough” to retreive it and open the attachment, which installed the "Poison Ivy" remote access tool (RAT) through a now-patched Adobe Flash vulnerability.

Rivner did not expand on RSA’s previous disclosure that the hackers accessed enough information on its SecurID two-factor authentication to weaken its implementation, but not enough to launch a direct attack on customers.

The Poison Ivy RAT was a variant of the GhostNet RAT that was used in 2009 against The Tibetan Government in Exile, Rivner noted. 

In a similar fashion, the attackers moved up the organisation’s ranks after harvesting lower user domain administration and service account credentials. 

“They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators,” he said. 

Despite its wealth of fraud detection technologies, the security vendor only noticed the attack during the third and final "extraction" stage, which he said may have forced the attackers to rush, but was too late to prevent the theft. 

“Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction,” said Riven. 

“The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.”

Riven defended RSA’s handling of the attack, highlighting that many organisations don’t discover what's occurred until months afterwards, but Gartner analyst Aviva Litan criticised RSA for failing to “eat their own dog food”.

“They gave a lot of credit to NetWitness [a company RSA is rumoured to be near acquiring] for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time,” she said.

Copyright © iTnews.com.au . All rights reserved.


Phishing and Flash flaw bagged RSA
 
 
 
Top Stories
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 248

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 80

Vote