Security researchers trace RSA hack and SecureID breach to lame Excel spreadsheet phishing

F-Secure found the file that was used to hack RSA and compromise the SecureID system. Kim Zetter of Wired News has more here.

This week Finnish security company F-Secure discovered that the file had been under their noses all along. Someone — the company assumes it was an employee of RSA or its parent firm, EMC — had uploaded the malware to an online virus scanning site back on March 19, a little over two weeks after RSA is believed to have been breached on March 3. The online scanner, VirusTotal, shares malware samples it receives with security vendors and malware researchers.

RSA had already revealed that it had been breached after attackers sent two different targeted phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. But that didn’t matter. When one of the four recipients clicked on the attachment, the attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file — a backdoor — onto the recipient’s desktop computer. This gave the attackers a foothold to burrow farther into the network and gain the access they needed.

24

  1. ““The email was crafted well enough to trick one of the employees to
    retrieve it from their Junk mail folder, and open the attached excel
    file,” RSA wrote on its blog in April.”

    …I am trying to respond to this but all that will come out of my mouth is an angry squeaking noise.

  2. It still amazes me how people who spread all kinds of malware are so bad at making emails that sound legit, but so good at targetting mostly users with frequent PICNIC issues who don’t realise that a single line email stating the obvious and then asking to «open it and view it» (and from someone they don’t know) is suspicious.

    And how it still manages to convince some people to «open it and view it».

    1. Its because the same people who open said mail, also send mail in the same format. Without much other text to go on, they have little to work out if the email is legit or not, even after the fact that they don’t know who the email is from, it looks legit as its the same type of email they would send themself or get from other employees with the same half a brain cell… unfortunatly.

    2. I don’t think that I’ve ever seen a phishing e-mail that didn’t have a misspelling. Oh, look! It’s my monthly statement from Bank of Ammerica!

  3. as someone who works in IT security for a living, I think I am more relieved than scared that this was the attack vector.  The alternatives–remote exploits, physical recon, bribed employees–are all much scarier.

    1. They might be more scary, but why put lots of effort in when a phonecall from a man with a nice voice to a shy secretary will get you the login password.

      Or giving her a gift of an iThingy with a payload to deliver the first time she goes to recharge at work.

      Or you can send her an ecard to tell her how special she is…. and once she goes to get it you own the system.

      Humans are and remain the biggest security risk to secure systems, it does not matter how educated you are or how smart you are… all you need to do is slip up once.

      1. The iThing gift reminds me of an article I read years ago.  As a
        security experiment, several flash drives were casually dropped outside
        of a bank.  Several employees found them, and of course the first thing
        they did was plug them into their bank networked computers to see what
        was on them.  Oh, look, a nice JPEG image to open…..

        Fortunately it was only a test, to show the power of social engineering.

        1. I wonder if the answer is to setup 1 computer tied to nothing and designed to accept no changes so when people feel compelled to plug in random flash drives, there is a designated spot for it.

  4. Its because the same people who open said mail, also send mail in the same format. Without much other text to go on, they have little to work out if the email is legit or not, even after the fact that they don’t know who the email is from, it looks legit as its the same type of email they would send themself or get from other employees with the same half a brain cell… unfortunatly.

    You’re on the right track! I would never do this, but I absolutely have received similar emails from my own colleagues. An attachment with a one line message, “Read this and respond, please.” One of our senior guys is fond of this. He scans forwards every article relevant to the job he can find. Which is actually pretty useful. But it means lots of emails with strangely named attachments and little body text.

  5. Opening an unsolicited attachment from a sender not personally known to you should be grounds for termination at a security company.

  6. I work as an IT Security Engineer in an industry sector that would seem to value good security practices. Nevertheless, my coworkers send me valid “one-liner plus vaguely named attachment” email All. The. Time.

  7. I sometimes think it has something to do with computers putting otherwise smart peoples’ brains in park. I don’t know what it is, but I’ve met a lot of computer users who just double clutch when something is looking at them from a screen, something they find intimidating and they react without thinking out of unease.

    Best case I can think of is a friend of mine who tried to prove this point to his father by writing a small executable (quite harmless) called “Iamavirus.exe” and mailing it it to him. His father, needless to day, opened it and installed it.

    1. Bwaahaha, that reminds me of an acquaintance that took down a BBS way back in the day by putting some junk in a ZIP file with a batch file called install.bat, named the ZIP after a hot new game then uploaded it to the BBS’s new files section.  The BBS mysteriously went down a few hours later.  The content of the batch file?  A format command along with an echo saying “Installing [game]…”

      I hope the statute of limitations is up on that one.

  8. Are you kidding me?
    As popular as this site is, you can’t just click on the name to get here when you have been sent here from another link.

  9. Apart from the problems involved in users’ widespread abdication of responsibility for anything that they do there are the same old two problems at the bottom of almost all of these problems: MicroSoft’s invention, sadly now widely copied, of an operating system that will run software in your account without your knowledge or permission; and the removal of all of the hardware based memory protection that used to be there.

  10. From the article:

    The embedded flash object shows up as a [X]
    symbol in the spreadsheet. The Flash object is executed by Excel (why
    the heck does Excel support embedded Flash is a great question).

    This is where your outrage should be directed, more than the users.  Microsoft Office products typically warn the user if there are macros embedded in a document, spreadsheet, etc. allowing you to back out of potentially risky behavior.  That’s the way it should be, and congrats to Microsoft for setting it up that way.  However, the fact that embedded Flash gets a free pass in this same environment is beyond strange.  Seriously WTF? 

  11. Maybe Microsoft would care more about security if fanboys wouldn’t blindly use their shitty products in mass.

    Yep, I’m looking at YOU.

Comments are closed.