Researchers at F-Secure identified the malicious Excel spreadsheet and the email that was used to phish RSA Security earlier this year when SecurID information was stolen.
After EMC's RSA Security
disclosed earlier this year that
unknown attackers had breached its systems via an e-mail with a malicious
, security researchers wondered what the file had contained and how exactly
it had breached the security company.
Researchers at F-Secure think they may have finally found
the attacking file.
Timo Hirvonen, an anti-malware analyst at F-Secure, had been
searching for the file in the company's "collections of tens of millions
of malware samples" ever since RSA admitted it had been breached, Mikko
Hypponen, chief research officer of F-Secure, wrote on the "News from the
" blog Aug. 26. Hirvonen found on Aug. 22 what he believes is the original
e-mail that had been sent to RSA Security employees and the actual Excel
spreadsheet that had been attached.
The email Hirvonen found was sent to at several emc.com
addresses on March 3, according to F-Secure's blog post. On March 19, shortly
after RSA announced the compromise, someone, presumably an EMC employee,
uploaded the email and attachment to VirusTotal for analysis. A free service,
VirusTotal scans suspicious messages with tools from over 40 top security
companies and posts results of the scan. The vendors also get access to all the
files uploaded to the service, which is how Hirvonen found the file.
"I forward this file to you for review. Please open and
view it," the e-mail said.
The e-mail message had been spoofed to look like it had come
from a generic Webmaster address at recruiting Website Beyond.com, and had a
subject line "2011 Recruitment plan." It had been sent to one EMC
employee and cc:ed to three others, possibly in the human resources department,
Hirvnonen found. He realized he was on the right track because RSA had revealed
the filename in the spring.
An Excel spreadsheet titled "2011 Recruitment
plan.xls" was attached to an e-mail that was "crafted well enough to
trick one of the employees to retrieve it from their Junk mail folder,"
, RSA's head of new technologies, said in an April 1 blog post
When Hirvonen opened the attachment, he found a blank
spreadsheet with a single checkbox, an embedded Flash object. Just opening up
the spreadsheet caused Excel to execute the Flash code, which then exploited
Adobe's vulnerability to drop a Poison Ivy backdoor to the system. The file was
closed automatically, but it was too late as the computer was compromised. This
matched the description of what RSA had already revealed.
Since the Flash code targeted a zero-day, RSA could not have
protected against it by keeping systems patched.
Hirvonen observed how Poison Ivy connected to a remote
server, allowing the attacker full access to the infected workstation and all
the user-accessible network drives. Attackers were able to move around the
network until they found the critical data they were looking for.
RSA claimed in March that attack had been an advanced
persistent threat. As details emerged that the initial attack had been launched
by a malicious attachment sent by e-mail, observers wondered whether or not that
could be considered an APT.
Hypponen said even though the email looked "very simple"
and the backdoor wasn't "advanced," since the Flash exploit was
advanced, the overall attack was "advanced, even if some of the interim
steps weren't very complicated," Hypponen said.
That may be up for debate now that the details of the
exploit are public.
"The 0-Day used in the RSA pwn is so lame & NOT
sophisticated at all! Shame on you criminals for the bad exploit quality. And
shame on you RSA for being pwned via a lame and not so sophisticated exploited
! [sic]," Chaouki Bekrar, founder and head of research at security firm
VUPEN, posted on Twitter.