The assault against RSA, the security division of EMC Corp., began with two waves of spear phishing attacks using an attached Microsoft Excel file, which targeted an Adobe Flash zero-day flaw.
The bottom line is that these attacks can be stopped and they have been stopped by other companies that are more prepared.
Vice President, Gartner Inc.
The phishing attacks took place over a two-day period and targeted two small groups of low-profile employees. Attackers were successful in getting at least one employee to retrieve it from their junk mail folder and open the Excel file titled "2011 Recruitment plan.xls." Eventually, attackers gained access to critical systems. A NetWitness early detection system discovered the anomaly, alerting incident response teams while the attack was in progress, but not before attackers could make off with details about the company's SecurID two-factor authentication products.
Uri Rivner, head of new technologies, identity protection and verification at RSA, shared the first details of the RSA SecurID attack since March 22, when the company warned that information related to its SecurID products was stolen.
According to the details released last week, the attackers installed a backdoor and a variant of the Poison Ivy remote administration tool, to reach out to a remote command-and-control server and navigate through RSA's sensitive systems. Once in, the attackers shoulder surfed on the victims, mapped the network and the resources, and started looking for a path to the coveted assets they desired, Rivner said.
"The attackers first harvested access credentials from the compromised users," Rivner said. "They performed privilege escalation on non-administrative users in the targeted systems and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators."
Once the attackers removed data from the servers of interest, they moved it to "internal staging servers where the data was aggregated, compressed and encrypted for extraction," Rivner said. The data was transferred via FTP using password protected RAR files to an external compromised host. Once there, the attackers removed the files to eliminate any traces of the attack.
While RSA's NetWitness network monitoring system detected the attack in progress, the company failed to have a process in place to reauthenticate suspicious users, said Avivah Litan, vice president at Gartner Inc. In an interview with SearchSecurity.com, Litan said other companies have been successful in stopping similar attacks by deploying layered defenses. For example, many financial firms use secure browsing technologies to monitor end-user interaction with third-party websites in combination with on-site network monitoring, Litan said.
"The bottom line is that these attacks can be stopped and they have been stopped by other companies that are more prepared," said Litan, who was among several analysts briefed on the attack. "There was abnormal user behavior, which [RSA] did detect, but they didn't have an inline process to stop it."
Jon Oltsik, principal analyst at Milford, Mass.-based consulting firm Enterprise Strategy Group, who was also briefed by RSA on Friday, said the attack raises concern that current security technologies are failing to protect against savvy social engineering attacks. "Pretty much anyone can be breached at any time," Oltsik said, adding that it will likely take a major event, like a lengthy power outage before any progress is made.
"We definitely need to improve our technologies, but this is not a technology problem," Oltsik said. "This is a con. Cybercriminals are preying upon human behavior to trust other people. You can deploy all the technology available, but this shows that it's easy to dupe people and overcome that technology."
RSA said response teams were called in to isolate the attack and investigate the breach and within nine hours the company's crisis response plan was thrown into full gear. Support staff and engineering teams were conducting briefings with affected customers, many of those briefings under non-disclosure agreements, based on the customer's specific exposure.
RSA continues to be tight lipped about exactly what part of its two-factor authentication technology was stolen.
In the RSA SecurID system, users are given a keyfob with a token code that changes randomly. Users also set their own four- to eight-digit PIN number. The PIN number and token code is combined into a password to access a secure server. In a worst case scenario, explained Rob VanderBrink, writing about the RSA attack in the Sans Institute's Storm Center diary, cybercriminals could have "obtained a complete or partial customer list, complete with seeds and serial numbers." Serial numbers are assigned to users of SecurID by the customer's RSA SecurID ACE management server. The seed is the encryption key, assigned by RSA. Sources close to the investigation also wouldn't disclose specifics, but said the NetWitness early detection system enabled the company to ensure the attackers "didn't empty the coffers of RSA or SecurID."