Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:41 PM
Connect Directly

Researcher: DEP Would Have Stopped Exploit Used In RSA Breach

Qualys research says EMC RSA phishing victims likely were running Windows XP

New research dissecting the initial exploit and malware used in the attack against RSA concludes that Windows' Data Execution Prevention (DEP) would have halted the attack if the victims were on Windows 7 machines.

DEP, which is built into Windows 7 and is available for Vista and XP SP2, would have stopped the exploit in its tracks, says Rodrigo Rubira Branco, director of Qualys' Vulnerability & Malware Research Labs, who tested the exploit and published his results today. He says it appears that the EMC RSA victims were running XP and did not have DEP enabled on their systems.

"The victims were using Windows XP, which is DEP-capable since SP2. I know that for sure because the exploit won't work against Windows 7 due to limitations in the exploit code itself," Branco says. "In this specific case, it was possible to change the exploit to work against DEP, but the exploit has been likely reused from another target. Having DEP on would prevent the exploitation.

"We can't say that the attacker would not change the exploit and try again, but it clearly was going to give more time to the defense to detect the attack and mitigate its effects."

Researchers have demonstrated bypassing DEP in older versions of Windows. Branco says the exploit demonstrates how even using patched, older technologies can leave an organization vulnerable. "If you use old technologies, even when they are patched, they are more exposed since the prevention mechanisms are not there, and when they are, they are easily bypassed," he says.

Branco, who published his new research today in a blog post, says digging into the original phishing email and rigged Excel attachment helped confirm the theory that the attackers wanted access to U.S. military contractors, not RSA itself.

RSA has said publicly that its breach was a means to an end for the attackers. "We were a path to try to attack other organizations," says Eddie Schwartz, CSO for EMC RSA. "That was very clear just based on other things we've subsequently learned from the attack."

And F-Secure, which was the first to find the RSA email on VirusTotal, believes the attackers needed RSA SecurID tokens to get into Lockheed-Martin and Northrop Grumman.

EMC RSA's Schwartz says Branco's in-depth analysis of a targeted attack can help organizations in their own environments. "The way it describes the different stages of an exploit and how these types of attacks work and the risks associated with them" is helpful, Schwartz says.

"If you start to look and say, 'Here's how an attack like this begins,' you can start mapping it to other attacks you've seen and understand how it fits into the different portions of the 'kill chain' of the attack," he says. "After you experience this kind of attack, you become more sensitive to certain types … of indicators of compromise" and can begin to piece together potential targeted attacks as they emerge.

The spreadsheet used to infect EMC RSA users contained an embedded Flash object with an Adobe Flash Player zero-day exploit. When triggered, the exploit installed the Poison Ivy remote administrative tool, which is known for keylogging, scanning, and data exfiltration, among other things.

Still unclear is how the attackers chose their targets for the emails, and just how much intelligence they had about RSA's systems, if at all. "Did the attacker have all the information previously -- so, he knew RSA was using Windows XP, without DEP -- or did he just try to see if it works? This actually tells a lot about the sophistication of the attack," Qualys' Branco says.

Mikko Hypponen, chief research officer at F-Secure, said in his April post that the email used in the attack was simple, but the exploit was not. "And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated," he wrote.

Even so, the key steps to protecting against this attack would be patching, which Branco says RSA likely did, and running the latest data protection mechanisms, like DEP. Another key would be understanding the weakest points in the chain of access to the most valuable data, he says. "I mean, the target will always be the easiest one to target, like HR people, in this case. How the attack spread horizontally in the organization until it compromised really critical customer data is not really clear," he says.

And just how the attackers got to the SecurID servers remains a mystery, he says.

While some security experts have criticized RSA for keeping mum on many details surrounding the attack, Branco lauded RSA's openness. "RSA was very open regarding the attack, and this demonstrates a great level of maturity from their side. I wish we had more and more companies openly discussing the issues so everybody in the community could benefit and learn the hard lessons," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows SSRF attacks.