Spear phishing emails sent to non-high profile RSA employees led to the successful attack last month.
Writing in a blog on the RSA website, Uri Rivner, head of new technologies in the identity protection division of RSA, admitted that the hacker gained access to the database by sending two different phishing emails over a two-day period to employees who were not ‘particularly high profile or high value targets'.
Titled ‘2011 Recruitment Plan', Rivner said that the email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder and open the attached excel file which was a spreadsheet titled ‘2011 Recruitment plan.xls'.
This exploited a vulnerability in Adobe Flash, which has now been patched, installing a remote administration tool that allowed the attacker to control the machine.
Rivner said: “In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past advanced persistent threats (APTs), including GhostNet.
“Having set remote access, the attacker starts digital shoulder surfing to establish the employee's role and their level of access. If this isn't sufficient for the attackers' purpose, they will seek user accounts with better, more relevant, privileges.”
He also said that the attack was done in a short timeframe, but there was time for the attacker to identify and gain access to more strategic users. The attacker first harvested access user, domain admin and service account credentials from the compromised users. They performed privilege escalation on non-administrative users in the targeted systems and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.
The attacker established access to staging servers at key aggregation points and went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.
An FTP site was then used to transfer password-protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.
Rivner also confirmed that ‘certain information was extracted' but said that the attack was detected by RSA's Computer Incident Response Team while it was in progress and by detecting what happened early on, RSA was able to respond quickly and engage in immediate countermeasures.
“I just want to leave you with one thought. What we're witnessing now are the early days. We're now in 1939, and U-boats are an impossible menace. We're now in 2004, and social engineering attacks get away with our customer's money. We're now in 2011, and the tidal wave of targeted attacks has reached our shores,” he said.
“It's time to respond as an industry, define and execute a new defence doctrine based on information sharing, deep analytics and advanced threat management.”
Avivah Litan, vice president and distinguished analyst in Gartner Research, said: “The irony though with RSA is that they don't eat their own dog food. In other words, they relied on yesterday's best of breed tools to prevent and detect the attack. They gave a lot of credit to NetWitness for helping them find the attack in real-time but they obviously weren't able to stop the attack in real-time, which means the signals and scores weren't high enough to cause a person to shut down the attack in real-time.
“RSA sells its own fraud detection systems based on user and account profiling which use statistical Beysian models and rules to spot abnormal behaviour and intervene in real-time to re-authenticate users and verify the authenticity of suspect access, behaviour or transactions. RSA appears in the leaders quadrant of Gartner's 2010 Web Fraud Detection Magic Quadrant.
“They should have applied these techniques to their own internal systems. They need to stay innovative and apply the lessons learned from serving their clients to their own internal enterprise systems.
“Perhaps this will shake them up so that they start moving a lot faster, like some of the small agile start-ups they acquired in the past. They need to make it possible for the innovation to bubble up quickly into products and services that they not only sell and implement at customer sites, but that they use themselves internally.”
Russell Poole, security practice director at 2e2, said: “Although phishing attacks have been around for a while this incident demonstrates the need for continual employee education. It also demonstrates the need to ensure all business applications and operating systems are at the latest patch levels.
“The attack on RSA shows just how sophisticated cyber criminals are getting today, that no one is ever 100 per cent safe and the vital importance of having multiple layers of security that are properly configured to protect customers if one security system is compromised."