Thursday, June 2, 2011

18 Days From 0day to 8K - An RSA Attack Timeline Analysis

There was a lot that bothered me about the official statements surrounding the RSA SecurID breach. For example, they claimed to be victims of an Advanced Persistant Threat that was neither advanced nor persistant.  Then there was news of a related attack against L3 Communications prior to 6 April, less than three weeks after the Coviello letter was made public on 17 Mar 2011. I decided to construct a timeline out of the available facts and see if it supports or conflicts with RSA President Art Coviello [3] and Mr. Uri Rivner's [10] versions of what happened. Either the attack was short-lived, as Mr. Rivner claims, or it was of much longer duration which would put RSA Security division products at greater risk for compromise along with EMC's customers who use them, such as Lockheed Martin [6], L3 Communications [5], and possibly Northrup Grumman [11], among others.


According to Rivner's "Anatomy of an Attack" blog post of 1 April 2011 [10], the attacker used a zero day Flash exploit (CVE-2011-0609) [4]. Neither Rivner nor Coviello provided information about the duration of the attack, however it was easy to calculate.  The 0day that was used in the attack was created on 28 Feb 2011 by a Chinese hacker whose Twitter alias is yuange1975 [2].
yuange1975's Twitter page
If you do the math, 28 Feb to 17 March is 18 days. Think about that for a minute. 18 days from 0day to EMC's 8-K filing with the SEC.  If your head isn't already spinning in disbelief, here's a list of what Uri Rivner claims happened interspersed with other key dates.
  1. At some point on or after 28 Feb 2011, an Attacker acquired yuange1975's Flash 0day, embedded it into an .xls spreadsheet entitled "2011 Recruitment Plan" along with a Poison Ivy RAT payload, and wrote a spear phishing letter to deliver it (est. #days = ?) [2], [4]
  2. Attacker sent two different phishing emails over a 2 day period before one employee opened the attachment. (est. #days = 2) [10]
  3. Attacker gained access to RSA network, learned who the privileged users were who had access to sensitive material and stole their credentials, navigated their way across protected levels of access with multiple authentications, intrusion detection systems, and other layers of defense in depth (est. #/days = ?) [10]
  4. Attacker "established access to staging servers at key aggregation points; then went into the servers of interest, removed data (some related to SecurID) and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction" (est. #/days = ?) [10], [3]
  5. Attacker "used FTP to transfer password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack." (est. #/days = ?) [10]
  6. EMC/RSA Security discovered the attack (date unknown), conducted a forensics investigation, and reported their findings to EMC executives
  7. RSA notified SecurID customers individually under NDA (est. #/days to contact 25,000 customers = ?) [8], [9]
  8. EMC lawyers edited and/or approved Art Coviello's statement which served as both its customer letter and SEC 8-K notification, which was finally published on 17 Mar 2011. (est. #/days = ?) [3], [7]
I invite readers to make their own estimates on the number of days that it might take to accomplish any of these 8 steps; particularly those involving forensic investigators and attorneys. The 18 day figure is impossibly brief, which means that the likely first stage of the Prime defense contractor attacks in April and May were deliberately down-played to save EMC's stock price and reputation. EMC's customers, particularly its Dept of Defense customers, should be demanding answers from Art Coviello and the EMC Board of Directors right about now.

UPDATE: An excellent analysis of the Flash 0day that was used can be read at Villys777's security blog [12]. 


References:
[2] @yuange1975 Twitter post; 28 Feb 2011: https://twitter.com/#!/yuange1975/status/42357318628802560
[3] RSA.com website, Art Coviello's "Open Letter To RSA Customers" (17 Mar 2011) http://www.rsa.com/node.aspx?id=3872
[4] Adobe Security Advisory 14 Mar 2011 "Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat": http://www.adobe.com/support/security/advisories/apsa11-01.html
[5] Wired.com ThreatLevel blog by Kevin Poulsen "Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks": http://www.wired.com/threatlevel/2011/05/l-3/
[6] NYTimes 29 May 2011: "Lockheed Strengthens Network Security After Hacker Attack"
[7] Securities and Exchange Commission website "Form 8-K filing from EMC Corporation": http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/d8k.htm
[8] Confidential source provided this information to the author via email correspondence
[9] 25,000 RSA SecurID customers source: 18 Mar 2011 Intrepidus Group blog post: http://intrepidusgroup.com/insight/2011/03/risk-posed-by-securid-hack/
[10] The RSA Blog 1 Apr 2011 "Anatomy of an Attack" by Uri Rivner: http://blogs.rsa.com/rivner/anatomy-of-an-attack/
[11] Fox News.com, 1 June 2011 "EXCLUSIVE: Northrop Grumman May Have Been Hit by Cyberattack, Source Says":
http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/#ixzz1O6jjeiyE
[12] Blog IX Security Research: http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

1 comment:

  1. well,this @yuange1975 is fake,he only have account on chinese microblog http://weibo.com/n/yuange1975 there's his declaration http://hi.baidu.com/yuange1975/blog/item/9e3120af5f910cd97cd92a0e.html

    ReplyDelete