1. 1
Kunal Sharma IST-323: Case Study – RSA Phishing and APT Attack
IST-323
In the modern-day business world that integrates computer networks into their operations
more than ever before, attackers can use various methods to gain access to information systems.
RSA Security LLC, an American computer and network security corporation, has many
databases that require optimum network security, including cryptography libraries and the
employees’ user SecurID tokens. In 2011, these tokens acted as a two-factor authentication
method for employees, by requiring users to enter a “secret code number displayed on a key fob,
or in software” (Zetter), in addition to their username and password. This number was
cryptographically generated and changed every 30 seconds, adding an extra layer of security.
However, each token had a serial number on it to make it unique, and if an attacker were able to
compromise the system, they could obtain the individual user information(Zetter). These
network aspects can introduce various liabilities (especially when they rely on the defenses of
supplemental end-user software like Adobe Flash [“RSA FraudAction Research Labs”] when
employees are browsing the internet on one of the network clients), and the RSA network did
suffer a successful attack by remote hackers on March 3rd, 2011.
The attackers used phishing to gain end-user pertinent information, then proceeded to hack
into the RSA network using an APT attack. In an APT attack, a group of hackers are a threat due
to the resources at their disposal and their persistence to get what they want. They have
techniques to gather information about their target, and have an objective as to how they want to
compromise their target and subsequently extract the information they want. The first step the
attackers took when approaching this was to gather any publicly available information about
specific employees, such as e-mail addresses and social media sites, so they could set up a social
engineering manipulation technique. Once they had gathered the e-mails of 4 workers that
2. 2
weren’t particularly high-profile at the RSA’s parent company EMC (Zetter), the attackers sent
them two [target-based content] spear phishing e-mails that read “2011 Recruitment plan” in the
subject line and appeared to come from a “web master” at a job-seeking site called Beyond.com
(Zetter). The email was able to coerce one of the employees to access it from the junk mail and
open the Excel spreadsheet attachment titled, “2011 Recruitment plan.xls”. This spreadsheet
contained a new platform of a zero-day attack (a bug in an application is found by the attacker,
and the vendor of that software has not implemented the necessary patches to fix it), which was a
technique called a “hybrid document exploit”, and Microsoft Office security patches were not
able to protect the system against it. (Pan and Tsai) The document can be embedded in an object
of another application, and the end user would not be aware of the underlying threat within what
appears to be a simple e-mail. However, because individual applications are sandboxed, the
attacker had to gain remote access to the client. The exploit was a two-step attack that used the
Flash vulnerability on the end-user application (on the Authplay.dll component) and repacked it
into the document exploit. Then, a control-flow hijack allowed the hacker to enter arbitrary code
into the memory. Now, why would the attackers use Excel as the document exploit as opposed to
a PDF file or a webpage? This was due to the Data Execution Prevention (DEP) security feature
for operating systems. Usually, DEP would only allow codes to run if those codes were already
instilled into the software, but with the Flash bug, the hacker was able to make arbitrary code
that appeared as logically instilled code to the DEP. Due to the Flash bug, the code did not
appear as excess data area execution instructions (Pan and Tsai).
Now that the hacker had gained privileges to enter codes, they proceeded to set up a
backdoor. This allowed them to install a remote access tool (RAT) known as Poison Ivy, and
then to set it up in reverse-connect mode, so they could obtain commands from the server of that
3. 3
client. With the RAT installed in this fashion, the attacker was more difficult to detect than if it
wasn’t installed that way. Then, the hacker started to move laterally through the network,
searching for users with more access and higher administrative privileges. By not diagnosing the
threat immediately, the RSA network allowed the hacker to indulge in this shoulder surfing
activity for sufficient enough time to map the network and locate a high-end user. By using
privilege escalation, the attacker was able to gain access to the accounts of server administrators.
Then, they moved data from the servers of interest to internal staging servers, where the data was
collected, compressed, and encrypted for extraction. The hackers then used FTP to transfer
password-protected RAR files (including the key data which was the roughly 40 million user
SecurID tokens) to an external, compromised host server, and extracted the files from there to
avoid any traces of the attack. All of these actions were not recognized as external by the
network security system because of the remote high-end privileges the attackers had gained
(“RSA FraudAction Research Labs”). Finally, the information the attackers obtained was
suspected to have been used to launch an attack on Lockheed Martin, a US Defense contracting
corporation that was a vital customer of the RSA. However, the company had a strong security
system that used its accounting prowess to detect abnormal activity within the intranet. The
company then launched its “Cyber Kill Chain” framework that “barricaded” any attempts to
access data within the network (Higgins). “The same day that Lockheed Martin detected the
attack, all remote access for employees was disabled, and the company told all telecommuters to
work from company offices for at least a week” (Higgins). Later on that week, the company
informed all remote workers that they'd receive new RSA SecurID tokens and told all workers to
reset their network passwords. As this specific attack attempt indicates, companies must protect
4. 4
their information systems and minimize risk, because otherwise serious valuable data can be
extracted for malicious use (Kemshall).
As for the main portion of the entire attack sequence, which was the infiltration into the RSA
network, the first step of response taken was by Adobe; the Flash player company released a
patch for the zero-day that prevented any injection of malware (Keiser). The RSA then re-issued
free SecurID tokens to all of its customers and proceeded to harden its security software. Then,
the RSA took its most important action that was influenced by the APT attack. It launched its
Advanced Cyber Defense (ACD) Services, which has incident response and breach readiness
services designed to rapidly assist an organization during an incident or breach, as well as
implement new preventative measures to minimize the risk of a successful attack (“EMC Press
Release”). Finally, a test was conducted for the most advanced attack, a new side-channel
attack”, on the RSA (Finke, Gebhardt, Schindler) The probability was only 10-15 percent.
5. 5
BIBLIOGRAPHY
Pan, Ming-Chieh and Tsai, Sung-Ting. (August 2011). Weapons of Targeted Attack.
Blackhat Presentation. Retrievedfrom: https://media.blackhat.com/bh-us
11/Tsai/BH_US_11_TsaiPan_Weapons_Targeted_Attack_Slides.pdf
Kemshall, Andy. (22 May 2012). Analyzing the RSA Security Breach. Tmcnet.com.
Retrieved from: http://www.tmcnet.com/voip/departments/articles/291353-analyzing-rsa-
security-breach.htm
Zetter, Kim. (26 August 2011). Researchers Uncover RSA Phishing Attack, Hiding In Plain
Sight. Wired. Retrieved from: http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/
Anatomy of an Attack. (1 April 2011). RSA Fraudaction ResearchLabs Blog Post.
Retrieved from: https://blogs.rsa.com/anatomy-of-an-attack/(2/10/14)
Keiser, Gregg. (14 March 2011). Hackers exploit Flash zero-day, Adobe confirms.
Computerworld.com. Retrievedfrom:
http://www.computerworld.com/s/article/9214521/Hackers_exploit_Flash_zero_day_Adobe_con
firms
Higgins, Kelly Jackson. (12, February 2013). How Lockheed Martin’s ‘Kill Chain’ Stopped
SecurID Attack. Darkreading.com. RetrievedFrom: http://www.darkreading.com/attacks-
breaches/how-lockheed-martins-kill-chain-stopped/240148399
RSA Lauches Incident Response and Breach Readiness Services to Help Customers Turn
the Tide on Advanced Threats.(19 September 2012). EMC Press Release. Retrievedfrom:
http://www.emc.com/about/news/press/2012/20120919-01.htm
Thomas Finke, Max Gebhardt, Werner Schindler. (1 September 2009). A New Side-
Channel Attack on RSA Prime Generation. Iacr.org. Retrievedfrom:
http://www.iacr.org/archive/ches2009/57470141/57470141.pdf
![1
Kunal Sharma IST-323: Case Study – RSA Phishing and APT Attack
IST-323
In the modern-day business world that integrates computer networks into their operations
more than ever before, attackers can use various methods to gain access to information systems.
RSA Security LLC, an American computer and network security corporation, has many
databases that require optimum network security, including cryptography libraries and the
employees’ user SecurID tokens. In 2011, these tokens acted as a two-factor authentication
method for employees, by requiring users to enter a “secret code number displayed on a key fob,
or in software” (Zetter), in addition to their username and password. This number was
cryptographically generated and changed every 30 seconds, adding an extra layer of security.
However, each token had a serial number on it to make it unique, and if an attacker were able to
compromise the system, they could obtain the individual user information(Zetter). These
network aspects can introduce various liabilities (especially when they rely on the defenses of
supplemental end-user software like Adobe Flash [“RSA FraudAction Research Labs”] when
employees are browsing the internet on one of the network clients), and the RSA network did
suffer a successful attack by remote hackers on March 3rd, 2011.
The attackers used phishing to gain end-user pertinent information, then proceeded to hack
into the RSA network using an APT attack. In an APT attack, a group of hackers are a threat due
to the resources at their disposal and their persistence to get what they want. They have
techniques to gather information about their target, and have an objective as to how they want to
compromise their target and subsequently extract the information they want. The first step the
attackers took when approaching this was to gather any publicly available information about
specific employees, such as e-mail addresses and social media sites, so they could set up a social
engineering manipulation technique. Once they had gathered the e-mails of 4 workers that](https://image.slidesharecdn.com/d0698d4e-22af-492c-beb9-a9dfa5ca9d01-160320021053/85/Case-Study-of-RSA-Data-Breach-1-320.jpg)
![2
weren’t particularly high-profile at the RSA’s parent company EMC (Zetter), the attackers sent
them two [target-based content] spear phishing e-mails that read “2011 Recruitment plan” in the
subject line and appeared to come from a “web master” at a job-seeking site called Beyond.com
(Zetter). The email was able to coerce one of the employees to access it from the junk mail and
open the Excel spreadsheet attachment titled, “2011 Recruitment plan.xls”. This spreadsheet
contained a new platform of a zero-day attack (a bug in an application is found by the attacker,
and the vendor of that software has not implemented the necessary patches to fix it), which was a
technique called a “hybrid document exploit”, and Microsoft Office security patches were not
able to protect the system against it. (Pan and Tsai) The document can be embedded in an object
of another application, and the end user would not be aware of the underlying threat within what
appears to be a simple e-mail. However, because individual applications are sandboxed, the
attacker had to gain remote access to the client. The exploit was a two-step attack that used the
Flash vulnerability on the end-user application (on the Authplay.dll component) and repacked it
into the document exploit. Then, a control-flow hijack allowed the hacker to enter arbitrary code
into the memory. Now, why would the attackers use Excel as the document exploit as opposed to
a PDF file or a webpage? This was due to the Data Execution Prevention (DEP) security feature
for operating systems. Usually, DEP would only allow codes to run if those codes were already
instilled into the software, but with the Flash bug, the hacker was able to make arbitrary code
that appeared as logically instilled code to the DEP. Due to the Flash bug, the code did not
appear as excess data area execution instructions (Pan and Tsai).
Now that the hacker had gained privileges to enter codes, they proceeded to set up a
backdoor. This allowed them to install a remote access tool (RAT) known as Poison Ivy, and
then to set it up in reverse-connect mode, so they could obtain commands from the server of that](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)