14 DAY TRIAL // After months of searching, security researchers have managed to obtain a copy of the APT used against RSA Security and found that it dropped a variant of the Poison Ivy backdoor.
The March RSA Security intrusion which resulted in the theft of data related to the company's popular SecurID two-factor authentication product was widely covered in the media.
This was partially because of RSA's silence following the breach and the fact that it resulted in attacks against Lockheed Martin and possibly other US military contractors.
The company eventually offered to replace all SecurID tokens for their customers, which are estimated at 40 million, and has already reported losses of $60 million resulting from the incident.
RSA previously revealed that the attack involved an email sent to its employees which carried an Excel file called "2011 Recruitment plan." This file bundled a zero-day Flash Player exploit.
Security researchers have been trying to track down the file in question for months and finally a week ago, Timo Hirvonen, a malware analyst from F-Secure, had a breakthrough.
He wrote a tool that analyzed malware samples for Flash objects most likely associated with an exploit for this vulnerability. One of the identified samples was an Outlook file and when Hirvonen opened it he realized that it was the exact email sent to RSA employees.
The subject of the email was "2011 Recruitment plan," the content read "I forward this file to you for review. Please open and view it" and the attached file was called "2011 Recruitment plan.xls."
This is a standard and straight-forward email attack. There is nothing exceptional about it and it's baffling that the employee of a security vendor, who should have received proper training, fell for it.
Even more baffling is that the malware installed by the exploit is unimpressive, being a variant of a well known remote administration tool (RAT) called Poison Ivy. This backdoor has been known since 2006.
However, given the fact that the attack used a zero-day exploit and targeted the customers of a security vendor, it can be considered advanced. "If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated," F-Secure's chief research officer Mikko Hypponen says.