Sophos Cloud Optix
In mid-March, Naked Security reported that RSA’s executive chairman, Art Coviello, had revealed a doozie of a cyber-attack story: hackers had broken into RSA servers and stolen information related to the company’s SecurID two-factor authentication products.
On Friday – ironically April Fool’s day – Uri Rivner, head of new technologies and consumer identity protection, at RSA, posted a blog entry releasing additional details on the RSA security breach.
It is a very long article, which provides a few details of how the attack managed to penetrate their defences. Unfortunately, it does leave some big details out.
So, here are the bare bones of the attack, summarised from Rivner’s post:
1. Attackers got their hands on specific employees’ publicly available information. Unsurprisingly, social media sites are useful for both good guys and bad guys. By giving away employees’ full names, job titles and company contact details, we inadvertently provide hackers and phishers with some of the necessary information to make a scam look legitimate. For example, if we know someone works in HR, then tailoring a bogus email for that department makes the attack more likely to succeed.
2. Hackers sent specific employees a phishing email, entitled ‘2011 Recruitment Plan’ with an Excel spreadsheet attached. The spreadsheet, called ‘2011 Recruitment plan.xls’, hid an embedded Flash exploit, which took advantage of Adobe’s zero-day vulnerability: (CVE-2011-0609).
3. A remote administration tool called Poison Ivy RAT variant was downloaded by the Trojan to give the attackers remote control of the computer.
4. The attackers took the access credentials from the compromised victims. The attackers then performed “privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.”
5. The hackers went into the servers of interest, copied data and moved it to internal staging servers. The data was then aggregated, compressed and encrypted for extraction. FTP was used to transfer “many” password-protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider.
6. The files were subsequently pulled by the attackers and removed from the external compromised host to remove any traces of the attack.
Rivner says that RSA’s Computer Incident Response Team caught the threat during their third stage, rather than hearing about it months later. This allowed RSA to respond quickly and engage in immediate countermeasures.
You read all this, and you can’t help but want more details. What did the attackers take? How does it affect RSA’s customers? What can they do about it? What is RSA doing to stave off future similar attacks?
Perhaps that information is still to come. I know many of us are dying to know more.
However, I am really pleased that RSA sketched out some of the details of the attack. I don’t know if they planned to do so all along, or if they bowed to external pressure to do so. It does force other companies to really think about their own infrastructure and what measures they have in place to help them mitigate against this type of attack.
And it must be nerve-racking for RSA’s shareholders and CxOs to read a public document about how the company got hacked, but releasing it really shows a tremendous amount of social responsibility. Well done Rivner and co.
RSA are not the first to be victims of this sort of attack, and they sadly won’t be the last. No matter what technology you have in place, the vulnerability that all businesses can’t get away from are employees.
Keeping them informed about how threats will try to take advantage of them and giving them the right knowledge and tools to help spot these types of attacks will go a long way to help secure a company’s confidential information.
Naked Security provided some tips here for IT security teams to share with their users last year: Sophos’s security manifesto.