Researcher: DEP Would Have Stopped Exploit Used In RSA Breach

Qualys research says EMC RSA phishing victims likely were running Windows XP
New research dissecting the initial exploit and malware used in the attack against RSA concludes that Windows' Data Execution Prevention (DEP) would have halted the attack if the victims were on Windows 7 machines.

DEP, which is built into Windows 7 and is available for Vista and XP SP2, would have stopped the exploit in its tracks, says Rodrigo Rubira Branco, director of Qualys' Vulnerability & Malware Research Labs, who tested the exploit and published his results today. He says it appears that the EMC RSA victims were running XP and did not have DEP enabled on their systems.

"The victims were using Windows XP, which is DEP-capable since SP2. I know that for sure because the exploit won't work against Windows 7 due to limitations in the exploit code itself," Branco says. "In this specific case, it was possible to change the exploit to work against DEP, but the exploit has been likely reused from another target. Having DEP on would prevent the exploitation.

"We can't say that the attacker would not change the exploit and try again, but it clearly was going to give more time to the defense to detect the attack and mitigate its effects."

Researchers have demonstrated bypassing DEP in older versions of Windows. Branco says the exploit demonstrates how even using patched, older technologies can leave an organization vulnerable. "If you use old technologies, even when they are patched, they are more exposed since the prevention mechanisms are not there, and when they are, they are easily bypassed," he says.

Branco, who published his new research today in a blog post, says digging into the original phishing email and rigged Excel attachment helped confirm the theory that the attackers wanted access to U.S. military contractors, not RSA itself.

RSA has said publicly that its breach was a means to an end for the attackers. "We were a path to try to attack other organizations," says Eddie Schwartz, CSO for EMC RSA. "That was very clear just based on other things we've subsequently learned from the attack."

And F-Secure, which was the first to find the RSA email on VirusTotal, believes the attackers needed RSA SecurID tokens to get into Lockheed-Martin and Northrop Grumman.

EMC RSA's Schwartz says Branco's in-depth analysis of a targeted attack can help organizations in their own environments. "The way it describes the different stages of an exploit and how these types of attacks work and the risks associated with them" is helpful, Schwartz says.

"If you start to look and say, 'Here's how an attack like this begins,' you can start mapping it to other attacks you've seen and understand how it fits into the different portions of the 'kill chain' of the attack," he says. "After you experience this kind of attack, you become more sensitive to certain types … of indicators of compromise" and can begin to piece together potential targeted attacks as they emerge.

The spreadsheet used to infect EMC RSA users contained an embedded Flash object with an Adobe Flash Player zero-day exploit. When triggered, the exploit installed the Poison Ivy remote administrative tool, which is known for keylogging, scanning, and data exfiltration, among other things.

Still unclear is how the attackers chose their targets for the emails, and just how much intelligence they had about RSA's systems, if at all. "Did the attacker have all the information previously -- so, he knew RSA was using Windows XP, without DEP -- or did he just try to see if it works? This actually tells a lot about the sophistication of the attack," Qualys' Branco says.

Mikko Hypponen, chief research officer at F-Secure, said in his April post that the email used in the attack was simple, but the exploit was not. "And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated," he wrote.

Even so, the key steps to protecting against this attack would be patching, which Branco says RSA likely did, and running the latest data protection mechanisms, like DEP. Another key would be understanding the weakest points in the chain of access to the most valuable data, he says. "I mean, the target will always be the easiest one to target, like HR people, in this case. How the attack spread horizontally in the organization until it compromised really critical customer data is not really clear," he says.

And just how the attackers got to the SecurID servers remains a mystery, he says.

While some security experts have criticized RSA for keeping mum on many details surrounding the attack, Branco lauded RSA's openness. "RSA was very open regarding the attack, and this demonstrates a great level of maturity from their side. I wish we had more and more companies openly discussing the issues so everybody in the community could benefit and learn the hard lessons," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.