RSA Compromised by APT (1 of 2)

A couple of days ago the Executive Chairman of RSA, Art Coviello, released an open letter to its customers talking vaguely of a compromise that has occurred within RSA. Coviello does not depict the events in a clear manner so customers cannot fully understand the scope of the activity, only stating “our security systems identified an extremely sophisticated cyber attack in progress” and also stated “investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems”. As to what systems were accessed by the threat actors and what information was extracted remains a mystery. The only thing revealed by RSA is “certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products”. Coviello does provide some comfort to his customers by stating “we are confident that the information extracted does not enable a successful direct attack”.

RSA being successfully targeted and exploited is an incredibly serious action because of all the customers RSA has along with what their data would provide to nefarious actors. Multiple governments, militaries, large and small companies rely on RSA for security solutions and the data that these customers have is incredibly sensitive. The threat actor going after the security solution shows a higher skill level and thought process because if you can compromise the security solution, the actor can have the potential of accessing the sensitive data without tipping off any alarms (i.e. creating a fake email account with a personal identifiable information versus compromising someone’s account).

RSA has multiple security solution products that is not limited to 2-factor authentication. In a previous blog by Cyber Squared we discussed the use of digitally signed malware, and guess who is a producer of digital signatures, yup RSA. With most successful intrusions done by sophisticated actors the full extent of the damage is not realized for months, years or ever for that matter. Were certificates stolen? If so, is RSA aware this even occurred? What are the further implications of these stolen certificates?  Since certificates are used for non-repudiation, could there be false transactions seen in the future? A worst case scenario, the actors who targeted Nasdaq and the London Stock Exchange and RSA are the same. Now, using digital certificates the actor can impersonate another company and influence stock prices and create a market crash in the time of a crisis. Is something like that so far off?

Mandiant in their M-Trends report talked about the intrusions and compromises associated with another non-repudiation system called PKI. Whomever is able to compromise a PKI Certificate and use it for nefarious purposes are able to do a similar action (i.e. send a digitally signed email to a stock market analyst saying sell shares or provide company information forcing a shift in the market.)

  • The advanced persistent threat is becoming more and more calculated in their attacks if one looks at the Nasdaq compromises, the creation and use of STUXNET, targeting of PKI, and the potential compromises of the London Stock Exchange to name a few high profile intrusions. All companies need to become more aware of their inherent security vulnerabilities and companies they purchase security products from to ensure their data is not at risk.
  • The most advanced threat actors are no longer trying to entice someone to click on an email or perform a redirection and conduct a smash and grab within your network. They want to impersonate someone, target them at a vulnerable location (i.e. their home system) and then gain access to the company’s network as if they are the victim (i.e “riding” a VPN session).

Reference: Link to RSA Letter