Advanced Persistent Threat Attacks Still a Reality

13 11 2011

Most people familiar with infosec are well aware of the RSA SecureID incident this past March and the ensuing consequences of that attack. Lockheed Martin and other defense contractors’ networks were broken into, and many SecureID tokens had to be replaced. Due to the high-profile nature of the attack and government involvement in the ensuing investigation, RSA was not willing to disclose many details, but did say it was the victim of an “extremely sophisticated” hack. [1]

A copy of the malware used in the attack was not made available by RSA or the third-party investigators hired to examine the attack. For months, forensics researchers were left in the dark and could only contemplate what a massive undertaking this particular hack must have been. Not only were important defense contractors hacked into, but the attackers broke into the world’s most recognized face of computer security to do it. Surely this was the work of an APT, or advanced persistent threat.

It wasn’t until late August that a Finnish security company, F-Secure, happened across the malware that was uploaded to an online repository. More specifically, they received a copy of the actual phishing email message containing the malware payload, an Excel file with an embedded Flash object. [2] F-Secure now knew how advanced the attack was. The security community already knew the malware was delivered with a simple phishing attack. What they didn’t know was that the Flash object in the Excel file used a zero-day exploit. [3]

It isn’t understood whether the attackers discovered the zero-day exploit by themselves or they purchased the exploit on a black-market. It is clear, however, that such an attack was likely the work of an APT. Similar attacks have occurred before, most notably the Stuxnet worm and attacks on Google. It seems that this latest attack was enough to draw the interest of Congress. Various security experts have been summoned to brief lawmakers about the attack, and a list of which companies’ networks were also compromised was released. In total, over 760 companies had compromised networks, the majority of which were in China. [4]

The fact that the attack used a zero-day exploit highlights an important point: while there was nothing RSA could have done to protect against the zero-day exploit, they very well could have done more to prevent falling victim to a phishing attack. This also serves as a reminder that, very often, the human element is the hardest aspect of security to control. If anything, this attack serves as a reminder that zero-day exploits do exist, and sometimes the simplest means of attack – a phishing email – can have catastrophic consequences.

__________________

[1] https://cmu95752.wordpress.com/2011/09/15/is-token-based-2-factor-authentication-really-that-secure/

[2] http://www.f-secure.com/weblog/archives/00002226.html

[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0609

[4] http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: