RSA was hacked in March. This was one of
the biggest hacks in history.
As
far as we know, a nation-state wanted to
break in to
Lockheed-Martin
and
Northrop-Grumman
to steal military secrets. They couldn't
do it, since these companies were using
RSA SecurID tokens for network
authentication. So, the hackers broke into
RSA with a targeted email attack. They
planted a backdoor and finally were able
to gain access to SecurID information that
enabled them to go back to their original
targets and succesfully break into there.
In the aftermath of the attack, RSA was
forced to replace the SecurID tokens for
their customers.
Already in April, we knew
that the attack was launched with a
targeted email to EMC employees (EMC owns RSA), and that the email contained an
attachment called
"2011 Recruitment plan.xls". RSA disclosed this information in
their blog post. Problem was, we didn't have the file.
It seemed like nobody did, and the
antivirus researcher mailing lists were
buzzing with discussion about where to
find the file. Nobody had it, and
eventually the discussion quieted down.
This
bothered Timo Hirvonen. Timo has been
working as an analyst in our labs and we
was convinced that he could find this
file. Every few weeks since April, Timo
would go back to our collections of tens
of millions of malware samples and try to
mine it to find this one file - with no
luck. Until this week.
Timo
wrote a data analysis tool that analysed
samples for flash objects. We knew the XLS
file in question used a Flash object to
take over the system. The new tool located
several relevant samples. However, one of
them was not an Excel file. It was an
Outlook message file (MSG). When Timo
opened it up, he knew he was onto
something. The message file turned out to
be the original email that was sent to RSA
on 3rd of March, complete with the
attachment
2011 Recruitment plan.xls
After five months, we finally
had the file. And not only that, we had
the original email. Turns out somebody
(most likely an EMC employee) had uploaded
the email and attachment to the
Virustotal
online scanning service on 19th of March.
And, as stated in the Virustotal terms,
the uploaded files will be shared to
relevant parties in the anti-malware and
security industry. So, we all had the file
already. We just didn't know we did, and
we couldn't find it amongst the millions
of other samples.
The sample was uploaded on 19th of
March as
file-1994209_msg
So, what did the email look
like? It was an email that was spoofed to
look like it had come from recruiting
website
Beyond.com. It had the subject
"2011 Recruitment plan"
and one line of content:
"I forward this file to you for review.
Please open and view it". The message was sent to one EMC
employee and cc'd to three others.
When opened, this is what
the XLS attachment looked like:
Here's a
Youtube video
that shows in practice what happens when
you open the malicious Excel file.
In this video you can see us
opening the email to Outlook and launching
the attachment is launched. The embedded
flash object shows up as a
[X]
symbol in the spreadsheet. The Flash
object is executed by Excel (why the heck
does Excel support embedded Flash is a
good question). Flash object then uses the
CVE-2011-0609
vulnerability to execute code and to drop
a
Poison Ivy backdoor
to the system. The exploit then code
closes Excel and the infection is over.
After this, Poison Ivy
connects back to it's server at
good.mincesur.com. The domain
mincesur.com
has been used in similar espionage attacks
over an extended period of time.
Once the connection is made,
the attacker has full remote access to the
infected workstation. Even worse, it has
full access to network drives that the
user can access. Apparently the attackers
were able to leverage this vector further
until they gained access to the critical
SecurID data they were looking for.
The
attack email does not look too
complicated. In fact, it's very simple.
However, the exploit inside Excel was a
zero-day at the time and RSA could not
have protected against it by patching
their systems. Was this an Advanced
attack? The email wasn't advanced. The
backdoor they dropped wasn't advanced. The
exploit was advanced. The ultimate target
of the attacker was advanced. If somebody
hacks a security vendor just to gain
access to their customers systems, we'd
say the attack is advanced, even if some
of the interim steps weren't very
complicated.
Timo will be
discussing his research on the topic in
detail in the
T2 Data
Security conference in October in his talk
titled
"How RSA Was Breached".
PS. For those who are still
looking for the sample: MD5 of the
MSG file:
1e9777dc70a8c6674342f1796f5f1c49 MD5
of the XLS file:
4031049fe402e8ba587583c08a25221a
