Researchers At F-Secure Uncover Details Of RSA Hack

Filed under: Computers, Government, Internet, Security, Software — Leave a comment

August 31, 2011

Ever since security giant RSA was hacked last March, anti-virus researchers have been trying to get a copy of the malware used for the attack to study its type of infection.

This week security company F-Secure discovered that the file was right in front of them all along.  An employee of RSA or its parent firm, EMC uploaded the malware to an online virus scanning site back on March 19, just over two weeks after RSA is believed to have been breached on March 3.  The online scanner, VirusTotal, shares malware samples it receives with security vendors and malware researchers.

RSA had already revealed that it had been breached after attackers sent two different targeted phishing e-mails to four workers at its parent company EMC.  The e-mails contained a malicious attachment that was identified as, “2011 Recruitment plan.xls.”

None of the recipients were people who would normally be considered high-profile targets.  When one of the four employee’s clicked on the attachment, the attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file.  This malicious file was a backdoor into the important information.  This gave the attackers a foothold to go even farther into the network and gain the access they needed.

RSA initially said that none of its customers were at risk, since the attackers would need more than the data they got from RSA to break into customer systems. Three months later, Lockheed Martin discovered hackers trying to breach their network using duplicates of the SecurID keys that RSA had issued.  RSA announced it would replace most of its security tokens.

RSA claimed in April, “The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file.”

So just how well crafted was the e-mail that got RSA hacked? Not too good, according to F-Secure.

The attackers spoofed the e-mail to make it appear to come from a “web master” at the job website Beyond.com.  Inside the e-mail, there was just one line of text: “I forward this file to you for review.  Please open and view it.” This was apparently enough to get the intruders the keys to RSA’s kingdom.

F-Secure tells us that the advanced part of the attack was through the zero-day Adobe Flash exploit.  Ultimately, the fact that the attackers hacked a giant like RSA just to gain the information they needed to hack Lockheed Martin and other defense contractors exhibited a high level of advancement and commitment.  

Tags: Adobe, adobe flash, backdoor, defense, e-mail, email, email security, emc, excel, F-Secure, Flash, flash exploit, government, hack, hacking, junk e-mail, junk email, keys, major hack, microsoft excel, phishing, phishing email, rsa, SecureID, security, software and security, tokens, virustotal, vulnerability, zero-day, zero-day exploit

Comments RSS feed