RSA felled by Adobe Flash zero-day flaw

RSA has released details of the attack that allowed unknown individuals to download information that could be used to attack the company's SecureID two-factor authentication platform - and it's blaming Adobe's Flash for the intrusion.

Uri Rivner, head of new technologies at the security outfit, has reported that the company has pieced together the details of the attack - a category of intrusion the company calls an Advanced Persistent Threat, or APT - and places the blame firmly at the door of a zero-day vulnerability in Adobe's Flash Player rich media technology.

The attack started, Rivner explained, with a phishing attack. "The two [phising] e-mails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read '2011 Recruitment Plan,' a subject line that encouraged users to retrieve the automatically-deleted message from their Junk folder and open the attached Excel spreadsheet.

"The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability," Rivner discovered - which is how the attackers unknown were able to effect access to the internal networks of RSA in order to retrieve the SecureID source code files.

"The next step in a typical APT [attack] is to install some sort of a remote administration tool that allows the attacker to control the machine," Rivner further explains. "In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around."

With this remote access, the attackers were able to digitally 'shoulder surf' the affected employees' computers, watching them work and building a picture of their place in the company and the rights they have on the network. By using this information, the attackers were able to plan more e-mail 'spear phishing' attempts - eventually finding a user with the access they required.

It's at this point that the attackers' plan fell apart. Having discovered the source code, they needed to take an active role in retrieving it from the corporate network. As soon as they started this, Rivner claims, RSA's incident response team detected their presence and worked to find them and eliminate their access from the network - something that normally takes a significant amount of time.

"I’ve been talking to many CISOs in corporations that were hit by similar APTs and a lot of companies either detected the attacks after months, or didn’t detect them at all and learned about it from the government," Rivner claimed. "This is not a trivial point: by detecting what is happening early on, RSA was able to respond quickly and engage in immediate countermeasures."

Its quick response and ongoing efforts to keep its user base informed of the progression of its investigations is an approach that has won the company support from the information security community. "RSA has been extremely deliberate and most importantly responsible," claimed IT executive Mischel Kwon in defence of the company. "It is easy to critique from a distance how RSA chose to prioritise their communications, the timeline and the audience to which they divulged information; but believe me, if you have not been in the center of such a storm, it’s impossible to appreciate just how difficult each and every decision can be."

Others in the community agree that RSA has fallen victim to the growing sophistication of attackers, and that the successful attack on the company highlights a growing trend for criminals to target high-profile businesses. "Although phishing attacks have been around for a while this incident demonstrates the need for continual employee education," claimed 2e2's security practice director Russell Poole in a statement to thinq_. "It also demonstrates the need to ensure all business applications and operating systems are at the latest patch levels.

"The attack on RSA shows just how sophisticated cybercriminals are getting today. No one is ever 100% safe and this incident should act as a warning to all organisations."

The Adobe Flash vulnerability used in the RSA attack, CVE-2011-0609, has since been patched, and RSA is implementing new security procedures to prevent a future recurrence, Rivner has reported - although the after-effects of the leaked SecureID source code is likely to cause ripples in the security community for years to come.