The hackers who breached RSA last month snuck in using a booby-trapped Excel file labelled ‘2011 Recruitment Plan’ that was emailed to low-level staff, according to the EMC security division.
The first phase of a three-stage assault targeted two small groups within RSA that “you wouldn’t consider ... particularly high value”, according to Uri Rivner, head of new technologies at RSA.
The email went staight to the Junk box, but one staff member found it “intriguing enough” to retreive it and open the attachment, which installed the "Poison Ivy" remote access tool (RAT) through a now-patched Adobe Flash vulnerability.
Rivner did not expand on RSA’s previous disclosure that the hackers accessed enough information on its SecurID two-factor authentication to weaken its implementation, but not enough to launch a direct attack on customers.
The Poison Ivy RAT was a variant of the GhostNet RAT that was used in 2009 against The Tibetan Government in Exile, Rivner noted.
In a similar fashion, the attackers moved up the organisation’s ranks after harvesting lower user domain administration and service account credentials.
“They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators,” he said.
Despite its wealth of fraud detection technologies, the security vendor only noticed the attack during the third and final "extraction" stage, which he said may have forced the attackers to rush, but was too late to prevent the theft.
“Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction,” said Riven.
“The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.”
Riven defended RSA’s handling of the attack, highlighting that many organisations don’t discover what's occurred until months afterwards, but Gartner analyst Aviva Litan criticised RSA for failing to “eat their own dog food”.
“They gave a lot of credit to NetWitness [a company RSA is rumoured to be near acquiring] for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time,” she said.