RSA Security Attack Timeline

Unknown date, unknown persons

Vulnerability in Adobe Flash (SWF) file interpreter discovered.

Unknown date, unknown persons

Microsoft Excel is used to distribute malicious SWF file (“2011 Recruitment plan.xls”) via email to specific users at RSA. (Perhaps other specific targets as well, an approach known as “spear phishing.”) A malicious SWF file installs a customized variant of the Poison Ivy remote administration tool (RAT) on the compromised machine. (Using a customized variant makes signature-based malware detection of the RAT ineffective; see FireEye Malware analysis of a.exe.) Using the RAT, users’ credentials are harvested and used to access other machines within the RSA network. These other machines are searched, sensitive information was copied and transferred to external servers.

Monday, March 14, 2011

Adobe issues security advisory and patch schedule, warning of a vulnerability (APSA11-01, CVE-2011-0609, SecurityFocus BID 46860) which “could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.”

Anti-virus vendors often add signatures to detect known malware samples at this stage. Anti-virus vendors often have patterns which match auxiliary malicious routines (“Fellow Malware Travelers“). For example, F-Secure may have detected Exploit:W32/XcelDrop.F (see related analysis from F-Secure).

Microsoft may have had existing detection of Exploit:Win32/Shellcode.G or Exploit:Win32/Shellcode.H or Backdoor:Win32/Poison.M.

Wednesday, March 16, 2011

F-Secure detects Exploit.CVE-2011-0609.A.

Microsoft adds Exploit:SWF/CVE-2011-0609 detection for malicious SWF file.

Thursday, March 17, 2011

RSA warns SecurID customers after company is hacked, offers guidance. (Note: The guidance should be reviewed to see if RSA’s own guidance could have prevented the compromise or detected the compromise sooner.)

Anatomy of an Attack by RSA’s Uri Rivner does not indicate if the attack was detected before Adobe’s March 14 announcement or after. In the best possible scenario, RSA was the sole target of spear phishing, recognized a previously undetected vulnerability was being exploited and notified Adobe.

Monday, March 21, 2011

Adobe ships an “out-of-cycle” update. This matches the March 14 patch schedule.

Monday, April 11, 2011

Unrelated, save that it shows Abode is busy.

Adobe warns of Flash Player zero-day exploit via Word document (APSA11-02, CVE-2011-0611).

Friday, April 15, 2011

Unrelated, save that it shows Abode is busy.

Adobe releases patch for Flash Player, Reader and Acrobat vulnerability (APSB11-07, CVE-2011-0609).


What measures at RSA enabled the compromise to occur? Excel enabled the SWF file to run. Users had sufficient permissions to install the RAT. No application whitelist enforced which applications could be installed. Incomplete security awareness training.

What measures at RSA failed to detect that they had been compromised? Were the ancillary malware routines (Excel dropper, Shellcode) detected, and if detected not investigated? Was the remote control traffic undetected? Does the harvesting of user credentials go undetected? Is information extrusion or exfiltration unmonitored? What measure succeeded at detecting the compromise?

A mechanism which could have provided detection is data mining of system information, as described in Finding Suspicious Services and Finding Suspicious Filenames. A more effective data mining approach would include file signatures as part of the collected system information, enabling you to compare found file signatures with known good file signatures. Unknown file signatures should be investigated.

In RSA readies changes to SecurID delivery processes in wake of APT attack, it is suggested that NetWitness network monitoring system enabled the company to ensure the attackers “didn’t empty the coffers of RSA or SecurID.” and knowing the keyfob serial number could lead to predicting the SecurID code.

See also:

On the outside, peering into the incomprehensible. at

How we found the file that was used to Hack RSA F-Secure blog August 26, 2011

Was this the e-mail that took down RSA? by Robert McMillan, ComputerWorld August 26, 2011

RSA chief says two groups (responsible) for SecurID breach by Jeremy Kirk, Computer World October 11, 2011

Assessing Outbound Traffic to Uncover Advanced Persistent Threat [pdf]

One Response to RSA Security Attack Timeline

  1. […] Guy. That doesn’t bother me too much, when I see how the Heartland, Hannaford Brothers and RSA data breaches remained effective and undiscovered due to undetected malware. According to the 2009 […]