Poison Ivy Infected RSA to Steal SecurID

Monday, August 29, 2011 @ 04:08 PM gHale

Poison Ivy scratched and clawed its way into RSA Security to make off with the company’s SecurID authentication product.

It took months, but security researchers found a copy of the advanced persistent threat (APT) used against RSA and, sure enough, it dropped a variant of the Poison Ivy backdoor.

RSA Hack Leads to China
Report: Malware Tougher to Detect
Websites Hit with Injection Attack
Malware Feeds Off Slow Patching

The March RSA Security attack resulted in the theft of the company’s SecurID two-factor authentication product.

The company eventually offered to replace all SecurID tokens for their customers, estimated at 40 million, and has already reported losses of $60 million resulting from the incident.

RSA previously revealed the attack involved an email sent to its employees which carried an Excel file called “2011 Recruitment plan.” This file bundled a zero-day Flash Player exploit.

Security researchers worked toward finding the file in question for months and finally a week ago, Timo Hirvonen, a malware analyst from F-Secure, had a breakthrough.

He wrote a tool that analyzed malware samples for Flash objects most likely associated with an exploit for this vulnerability. One of the identified samples was an Outlook file and when Hirvonen opened it he realized it was the exact email sent to RSA employees.

The subject of the email was “2011 Recruitment plan,” the content read “I forward this file to you for review. Please open and view it” and the attached file was called “2011 Recruitment plan.xls.”

The malware installed by the exploit is unimpressive, being a variant of a well known remote administration tool (RAT) called Poison Ivy, researchers said. This backdoor has been out there since 2006.

However, given the fact the attack used a zero-day exploit and targeted the customers of a security vendor, experts consider it advanced.

“If somebody hacks a security vendor just to gain access to their customers systems, we’d say the attack is advanced, even if some of the interim steps weren’t very complicated,” said F-Secure’s chief research officer Mikko Hypponen.

Leave a Reply

You must be logged in to post a comment.