Let’s first make sure everyone is on the same page. The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.
These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?
The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite. With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.
The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.
OK, back to the attack. As you know, the next step in a typical APT is to install some sort of a remote administration tool that allows the attacker to control the machine. In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet.
Having set remote access, now the attacker in a typical APT starts digital shoulder surfing to establish the employee’s role and their level of access. If this isn’t sufficient for the attackers’ purpose, they will seek user accounts with better, more relevant, privileges. I’ve pieced together a separate blog post as an appendix, talking about the attack end-to-end and providing more data.
When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization. You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.
One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars
via blogs.rsa.com
Uri has more details on the RSA attack over on his blog. I had an idea we had a breach when the corporate infrastructure rapidly began locking down while I was connected to it, but I had no idea where or what the severity was.
Regardless, this criminal investigation continues and the scary people from scary places still stalk the halls.
