RSA Attack Was Part Of A Wider Campaign: Report

The malware used to compromise RSA Security earlier this year may have been used in attacks against more than 700 other organisations, according to a report by security writer and analyst Brian Krebs.

Facebook, Google and eBay are among the 760 organisations that may have been hit by malware that used the same command and control infrastructure as the one used in the RSA breach, security writer Brian Krebs wrote on Krebs On Security on 24 October. Of the total list, about 20 percent are considered to be Fortune 100 companies.

Compromise

The organisations on the list had networks that were compromised with “some of the same resources” used to hit RSA, according to Krebs. The networks were “phoning home” to some of the same C&C servers from the RSA breach, and the first attack could have been as early as November 2010.

“No one has been willing to talk publicly about which other companies may have been hit,” Krebs said, noting that security professionals had long suspected that RSA Security wasn’t the sole victim of the sophisticated malware that exploited several zero-day vulnerabilities.

These organisations were not compromised using data stolen from RSA Security, Krebs warned, but were likely hit by an RSA-style attack. The attackers may have been searching for information that could be used to launch other secondary attacks such as the one launched against military contractor Lockheed Martin in May.

RSA Security disclosed in spring that some of its systems had been infected by a malicious Excel spreadsheet booby-trapped with exploits targeting zero-day vulnerabilities in Adobe Flash Player. The attackers had targeted recruiters and human resources staff. Art Coviello, RSA’s chairman, warned about Advanced Persistent Threats and how adversaries are developing sophisticated threats designed to lurk in networks and not be detected by traditional defense systems.

Krebs did not disclose how the data was compiled or who conducted the analysis. Security professionals provided the list of organisations in a series of ongoing meetings with Congressional staff regarding APTs, according to Krebs.

Techniques reverse-engineered

However, it was worth noting that the list may not be entirely accurate because some of the organisations might not have been actually targeted. Security organisations, such as McAfee, Fortinet and Computer Emergency Response Team (CERT), on the list probably “intentionally compromised” their own systems to reverse-engineer the malware, Krebs said. Practically every major Internet service provider around the world, including China Telecomm, Comcast and the UK’s Orange, was also included in the list, but it was more likely that one of their subscribers had been infected by the malware instead of the service provider’s networks.

With the information available, it is not clear how many systems in each of the networks were actually infected or whether attackers successfully transferred sensitive data to remote servers for every single one of the victims. It is also not known how long the intruders were able to persistently lurk in the network. The breach for some of these organisations could have been minor, with only a single throwaway system, or it might have been extensive with several systems compromised.

A majority, or about 88 percent, of the C&C servers used in the attacks were located in China. There were other servers in South Korea, Brazil, India, Italy, Pakistan, the United States and the United Kingdom. Krebs said “the overwhelming majority” of the Chinese networks were located in or around Beijing.