Opening Up One E-mail Attachment Compromised Security Around The Globe…

 

RSA distributes advanced security systems to companies world wide.  F-secure discovers how one very simple trojan instantly compromised security around the globe. Social engeinerring will always be the weak point of any secuirty plan:

http://www.f-secure.com/weblog/archives/00002226.html

So, what did the email look like? It was an email that was spoofed to look like it was coming from recruiting website Beyond.com. It had the subject “2011 Recruitment plan” and one line of content: 
   “I forward this file to you for review. Please open and view it”. 
The message was sent to one EMC employee and cc’d to three others.

In this video you can see us opening the email to Outlook and launching the attachment. The embedded flash object shows up as a[X] symbol in the spreadsheet. The Flash object is executed by Excel (why the heck does Excel support embedded Flash is a great question). Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over. 

After this, Poison Ivy connects back to it’s server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.

Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.

The attack email does not look too complicated. In fact, it’s very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems. 

So, was this an Advanced attack? The email wasn’t advanced. The backdoor they dropped wasn’t advanced. But he exploit was advanced. And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we’d say the attack is advanced, even if some of the interim steps weren’t very complicated.


Comments are closed