Like I wrote in my previous post titled “RSA SecurID Attack” on March 30th, RSA was victim of a Advanced Persistent Threat (APT) attack, which achieved the goal of extracting information from the Company’s servers. Although the type of information is not publicly specified by RSA, it was said to be related to the SecurID (3) two-factor authentication products. According to the Company, the information extracted does not enable a successful direct attack on any of their RSA SecurID customers, but it might be used to reduce the effectiveness of the current two-factor implementations in a broader attack.
Until last Friday, RSA was keeping for itself any details on how the attack took place, but finally a blog post by Uri Rivne in RSA's official blog gave up some cues on how it happened.
According to Uri, the attacker sent two phishing e-mails over a two-day period. This e-mail, which was targeted to a small group of employees (considered low profile users), contained a subject of “2011 Recruitment Plan”. One of the victims opened the attached Excel file which contained a zero-day exploit that installed a backdoor exploiting an Adobe Flash vulnerability (CVE-2011-0609) (1).
Once the backdoor was installed, the next logical step was to allow remote control of the machine. In this case, the attacker installed a remote administration tool in reverse-connect mode, being difficult to detect. Then the attacker hunted throughout the network for users with more privileges, which had access to the target information. This was done with regular hacking methodologies.
According to Uri, the attacker acquired all access credentials from the compromised user, and then attacked non-administrative users in targeted systems, and then with privilege escalation attacks gained access to high value targets.
Finally, they hacked into the servers of interest with appropriate credentials, moved the target data to an internal server where they compressed and encrypted it. Once this was done, it was extracted through FTP to an external compromised hosting provider.
The rest of the story is already known.
By Agustin Chernitsky
Notes:
(1) Adobe has released a patch.
No comments:
Post a Comment