Friday, August 26, 2011
The file that hacked RSA: how we found it Posted by Mikko @ 09:20 GMT | Comments

RSA was hacked in March. This was one of the biggest hacks in history.

As far as we know, a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn't do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and finally were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace the SecurID tokens for their customers.

RSA / EMC hack

Already in April, we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post. Problem was, we didn't have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.

This bothered Timo Hirvonen. Timo has been working as an analyst in our labs and we was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file - with no luck. Until this week.

Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls

After five months, we finally had the file. And not only that, we had the original email. Turns out somebody (most likely an EMC employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn't know we did, and we couldn't find it amongst the millions of other samples.

RSA / EMC hack
The sample was uploaded on 19th of March as file-1994209_msg

So, what did the email look like? It was an email that was spoofed to look like it had come from recruiting website Beyond.com. It had the subject "2011 Recruitment plan" and one line of content: "I forward this file to you for review. Please open and view it". The message was sent to one EMC employee and cc'd to three others.

RSA / EMC hack

When opened, this is what the XLS attachment looked like:

RSA / EMC hack

Here's a Youtube video that shows in practice what happens when you open the malicious Excel file.

In this video you can see us opening the email to Outlook and launching the attachment is launched. The embedded flash object shows up as a [X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a good question). Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit then code closes Excel and the infection is over.

After this, Poison Ivy connects back to it's server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.

RSA / EMC hack

Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.

The attack email does not look too complicated. In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems. Was this an Advanced attack? The email wasn't advanced. The backdoor they dropped wasn't advanced. The exploit was advanced. The ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.

Timo will be discussing his research on the topic in detail in the T2 Data Security conference in October in his talk titled "How RSA Was Breached".


PS. For those who are still looking for the sample:
MD5 of the MSG file: 1e9777dc70a8c6674342f1796f5f1c49
MD5 of the XLS file: 4031049fe402e8ba587583c08a25221a

<<< Chinese TV Program Censored