Tools, Techniques, Procedures of the RSA Hackers Revealed 54
An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"
Not much about RSA (Score:5, Informative)
The report details malware that connected to a particular control host, named alyac.org. The host was used in an attack on SK Communications. One particular piece of malware (the Murcy malware the paper describes) is indicated to have been used in the RSA attack.
The RSA connection is detailed in the paragraph of the report titled "Link To RSA Breach":
The majority of the known callback domains for Murcy malware were used in the March 2011 RSA breach. This suggests that the attackers responsible for the RSA breach also use the Murcy malware. Given that the malware is reportedly not in widespread use, the Chinese server communicating with ‘path.alyac.org’ may have been compromised by the same attackers responsible for the RSA breach
There's little else that's really information specifically about the RSA breach. Still a nice bit of information about malware, but it'd be nice if the summary mentioned SK Communications, since that's the paper's real focus.
That should be done anyway. (Score:5, Informative)
All internal systems should use the internal DNS server.
The firewalls should block any outgoing DNS queries from any systems (except the internal DNS servers).
The firewall logs should be checked each day for violations.
The internal DNS server logs should be checked each day for unusual activity.
Even if you cannot prevent your systems from being compromised you should be looking for the signs that they are compromised.