'Tricked' RSA Worker Opened Backdoor to APT AttackAPT Presents New Attack Doctrine Built to Evade Existing Defenses
An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.
RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach (see RSA Says Hackers Take Aim At Its SecurID Products). An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. Rivner's blog is the first substantial public comment on the breach since Coviello's statement.
RSA on Monday also announced it is acquiring Netwitness, the network security company that provides real-time network forensics and automated threat analysis solutions. In a statement, Netwitness founder and CEO Amit Yoran alluded to the breach: "Recent events reinforce the passion and commitment we have shared for years - to help you combat zero-day attacks, targeted and advanced threats, and other sophisticated security problems."
Netwitness technology and personnel helped identify the APT attack as it progressed, enabling RSA to launch an aggressive defense, an individual close to RSA says. But the breach had nothing to do with the acquisition; negotiations between RSA and Netwitness began before March 17.
According to Rivner, the exploit injected malicious code into the employee's PC, allowing full access into the machine. The attacker installed a customized variant of a remote administration tool known as Poison Ivy, which has been used in APT attacks against other companies. Such tools set up a reverse-connect model, which Rivner explains pulls commands from the central command and control servers, then execute the commands, rather than getting commands remotely, making them harder to detect.
Rivner's analysis of the breach determined the attacker had sent two different phishing e-mails over a two-day period to two small groups of RSA employees. "You wouldn't consider these users particularly high profile or high value targets," he says. Once inside, the attacker sought out employees with great access to sensitive information. "When it comes to APTs, it is not about how good you are once inside, but that you use a totally new approach for entering the organization," Rivner says. "You don't bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees."
The RSA official says the attacker initially harvested access credentials from the compromised employee and performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.
"If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while," Rivner says. "If they think they run the risk of being detected, however, they move much faster and complete the third, and most 'noisy' stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase."
Rivner says the goal of the attacker is to extract information. In this assault, he says, the attacker gained access to staging servers at key aggregation points to prepare for extraction. Next, the attacker accessed servers of interest, moving data to internal staging servers to be aggregated, compressed and encrypted for extraction. Then, the attacker used file transfer protocol to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.
"While RSA made it clear that certain information was extracted, it's interesting to note that the attack was detected by its Computer Incident Response Team in progress," Rivner says. "I've been talking to many CISOs in corporations that were hit by similar APTs and a lot of companies either detected the attacks after months, or didn't detect them at all and learned about it from the government. This is not a trivial point: by detecting what is happening early on, RSA was able to respond quickly and engage in immediate countermeasures."
Rivner characterized APT as a new attack doctrine built to evade existing perimeter and endpoint defenses, and analogized an APT attack to stealth jet fighters that circumvent radar.
"For decades, you've based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials," he says. "You can try building bigger and better radars or ... you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn't going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine. Building a new defense doctrine takes time, but over the course of history many campaigns that required building a new defense doctrine were eventually won."
Rivner cites the financial industry's seven-year campaign to battle phishing attacks, and alludes to a British payment council announcement that online banking fraud declined 27 percent despite a 21 percent increase in phishing attacks last year. "We've learned a thing or two that can help us build a new defense doctrine against APTs much faster," he says. "Already we're learning fast, and every organization hit by an APT is much more prepared against the next one; I'm confident it will take us far less than seven years to say we've turned the tide on APTs.