Researchers study actual file used in RSA SecurID breachto attack security firm RSA this March contained just two short sentences: “I forward this file to you for review. Please open and view it.”
The message, discovered by researchers at anti-virus firm F-Secure after five months of pilfering through tens of millions of malware samples, sheds light on one of 2011's most notable breaches.
“It wasn't a very well-done attack from the social engineering point of view,” Mikko Hypponen, chief research officer at F-Secure, told SCMagazineUS.com on Friday.
Though it was simple, the message successfully duped an employee of EMC, RSA's parent company, into opening a malicious Excel spreadsheet called “2011 Recruitment plan,” thus creating a backdoor into the company's network.
The targeted attack, according to researchers, was just the first step in an effort by state-sponsored adversaries to steal RSA product information that subsequently was used to break into U.S. defense contractors' networks. The ultimate goal was to steal military secrets.
Timo Hirvonen, anti-malware analyst at F-Secure, had been searching for the file since RSA disclosed it had been attacked, according to an F-Secure blog post Friday. Knowing the nefarious Excel file used a Flash object – a piece of software that runs in Adobe Flash Player – to take over the targeted system, Hirvonen built a data analysis tool that could examine malware samples for such an attribute. With the help of this tool, he struck gold, discovering the original email and file used as part of the attack.
Multiple members of the anti-malware and security industry actually had the file — they just didn't know it, Hypponen said. The email and attachment had been uploaded on March 19, most likely by an RSA employee, to VirusTotal, a free online service used to analyze suspicious files and URLs. VirusTotal files are shared with about 30 members of the anti-virus community, Hypponen said.
“We never knew, in detail, what the file did, what backdoor it dropped, and to where the backdoor connected,” Hypponen said.
The message, spoofed to look like it was sent from the recruiting website Beyond.com, was delivered on March 3 to one EMC employee and CC'd to three others. Once opened, the attachment had no content except the embedded Flash object, which appeared on the spreadsheet as an "X" symbol. The malicious attachment was then crafted to exploit a Flash Player vulnerability – unpatched at the time of the attack – to plant a backdoor called “Poison Ivy” on the affected system.
Once a connection to the server was made, the attacker had complete remote access to the infected machine, as well as all the network drives a user can access.
RSA may have been able to notice the unusual outbound connectivity with a “good quality” blacklist of known espionage sites, Hypponen said. However, he added that most organizations would have fallen victim to the attack since it used a zero-day exploit targeting Flash, a widely-used program.
“I don't want to blame RSA,” he said. “I don't think they could have prevented it.”
Following the attack on RSA and the subsequent breach of defense contractor Lockheed Martin's systems, RSA offered customers the option to replace SecurID tokens. About 10 percent of RSA SecurID customers globally replaced the token system, with the highest number of replacements in Australia.
RSA Australia director Andy Solterbeck told sister site SCMagazine.com.au, that the company had to remain tight-lipped on specific details of the breach due to an active investigation.
"Every law agency was crawling all over us," Solterbeck said.
Customers, however, wanted answers as to whether SecurID tokens could be trusted. Solterbeck said he contacted some of RSA's largest customers personally, while others received help from the company's consultants, partners and resellers.
"We did as good a job as we could," Solterbeck said. "[Customers] were satisfied."
SC's Darren Pauli contributed to this report.