The Public Eye with Eric Chabrow

RSA Breach Evidence Uncovered

Original E-mail with Exploit Found by Security Firm
RSA Breach Evidence Uncovered

There's just too much information out there, and sometimes what you're looking for is just sitting right in front of you and you don't even notice.

Timo Hirvonen is an analyst at F-Secure, and every few weeks he would review the Finnish security provider's collection of tens of millions of malware samples and try to mine it to find a single file - with no luck - that was the malware causing last spring's RSA SecurID breach (see 'Tricked' RSA Worker Opened Backdoor to APT Attack). Last week, Hirvonen's luck changed.

According to an F-Secure posting:

"Timo wrote a data analysis tool that analyzed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls. After five months, we finally had the file."

Not only that, F-Secure had the original e-mail and attachment that an employee of RSA or its parent, EMC, likely had uploaded to the online scanning service on March 19, which could be shared with others in the anti-malware industry. As F-Secure said:

"We just didn't know we did, and we couldn't find it amongst the millions of other samples."

The Flash object is executed via the Excel attachment. F-Secure asked a simple, but pertinent question: "Why the heck does Excel support embedded Flash?"

The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a so-called poison ivy backdoor to the system. The exploit code then closes Excel and the infection is over. After this, Poison Ivy connects back to its server at The domain has been used in similar espionage attacks over an extended period of time, F-Secure says.

Once the connection is made, the F-Secure posts says, the attacker has full remote access to the infected workstation:

"Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.

F-Secure concludes the attack e-mail doesn't look too complicated. In fact, it's very simple. But the exploit inside Excel was a zero-day attack at the time and RSA couldn't have protected against it by patching its systems, the security provider says.

So, F-Secure asks, was this an advanced attack?

Defining an advanced persistent threat has been debated among security providers in recent weeks. McAfee characterized the scores of attacks perpetrated by a foreign nation in its paper, Revealed: Operation Shady RAT, as APTs (see Is China the Nation Behind Shady RAT?):

"The targeted compromises we are focused on - known as advanced persistent threats (APTs) - are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives."

But Symantec blogger Hon Lau took exception to the Shady RAT hacks as APTs (see Security Through Obscurity), saying:

"The errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."

But is it the advanced technology used or the end results that make certain vulnerabilities APTs? Here's how F-Secure put it:

"The e-mail wasn't advanced. The backdoor they dropped wasn't advanced. But he exploit was advanced. And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated."

Well said.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.