F-Secure identify spear phishing email that impacted RSA

News by Dan Raywood

The malicious file that brought down RSA in March and breached the seed data of its SecurID tokens has been detected by F-Secure.

The malicious file that brought down RSA in March and breached the seed data of its SecurID tokens has been detected by F-Secure.

According to F-Secure, the file was an Excel spreadsheet called '2011 Recruitment Plan' and was discovered by labs analyst Timo Hirvonen five months the incident. Chief research officer at F-Secure, Mikko Hypponen, said that Hirvonen had been checking its tens of millions of malware samples and to find the specific file and had been unsuccessful until this week.

Hypponen said: “Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system and the new tool located several relevant samples.

“However one of them was not an Excel file, it was an Outlook message file (MSG) and when Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls.”

Hypponen also said that it had the email that had been sent to RSA. It said that someone had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. The email was spoofed to appear to have come from recruiting website Beyond.com. It had the subject ‘2011 Recruitment plan' and one line of text content, that said: “I forward this file to you for review. Please open and view it.” F-Secure said that the message was sent to one EMC employee and cc'd to three others.

When opened, the attachment is a blank Excel spreadsheet with a boxed ‘X' in the A1 window, which is an embedded Flash object that is executed by Excel. “The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over,” said Hypponen. 

“After this, Poison Ivy connects back to it's server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

Once the connection is made, the attacker has full remote access to the infected workstation and the network drives that the user can access.

F-Secure said that the attack email does not look too complicated, however, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

Hypponen also denied that the attack, email, exploit and backdoor were not advanced, yet the ultimate target of the attacker was advanced.

He said: “If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews