Forgot your password?
typodupeerror
Botnet China Security IT

Tools, Techniques, Procedures of the RSA Hackers Revealed 54

Posted by timothy
from the more-links-than-a-sausage-factory dept.
An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"
This discussion has been archived. No new comments can be posted.

Tools, Techniques, Procedures of the RSA Hackers Revealed

Comments Filter:
  • PDF eh? (Score:5, Funny)

    by checkitout (546879) on Sunday February 12, 2012 @01:22AM (#39009687)
    I think everyone is afraid to click on that link.
  • by Anonymous Coward on Sunday February 12, 2012 @01:29AM (#39009699)

    It was most interesting to see one antivirus lab take months longer than another to detect one of these rootkits -- and that the rootkit may have been out there for months longer than that.

    We might be past the useful span of antivirus software at this point. The attacker has always had the upper hand, being able to train malware against existing antivirus software.

    One piece of advice in there was to limit internal networks to using internal DNS. But it's smarter to go one step further. By determining which sites employees should visit and distributing a hosts file to all internal computers, a company can avoid the myriad risks of operating a DNS server. Then any outgoing DNS traffic can be detected by a savvy internalnet admin at the firewall, and the offending computers cleaned.

    E-mail attachments also continue to be a problem. The secret of the pros is to set up a script in your favorite language to detect e-mails with attachments, and move the attachments from the e-mail to the IT account. Then, once a trained professional examines each attachment, safe files can be copied into the folders of the relevant employees, and an e-mail sent to them to let them know they're in the clear.

    While good computer safety is complex, much of it can be automated or outsourced. But thankfully not all of it, am I right guys?

    • by pntkl (2187764)
      Maybe we should take the advice of Rector Mompesson, stop the cleanup, and burn it all! > : ) j/k
    • by khasim (1285) <brandioch.conner@gmail.com> on Sunday February 12, 2012 @02:16AM (#39009821)

      All internal systems should use the internal DNS server.
      The firewalls should block any outgoing DNS queries from any systems (except the internal DNS servers).
      The firewall logs should be checked each day for violations.
      The internal DNS server logs should be checked each day for unusual activity.

      Even if you cannot prevent your systems from being compromised you should be looking for the signs that they are compromised.

      • by jgrahn (181062)

        All internal systems should use the internal DNS server. The firewalls should block any outgoing DNS queries from any systems (except the internal DNS servers). The firewall logs should be checked each day for violations. The internal DNS server logs should be checked each day for unusual activity.

        Even if you cannot prevent your systems from being compromised you should be looking for the signs that they are compromised.

        You mean the "insights" section on page 17 in the report. That part scared me. They also recommend blocking traffic from the network to address X unless it's preceded by a DNS query which resolves to X. Breaking IP in non-obvious ways (impossible to debug unless you have control over the firewalls) has pretty bad consequences too ...

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          well obviously, they're just proving that research papers are an
          excellent attack vector on folks who care about security and
          implement security recommendations blindly.

        • by Cramer (69040)

          That would break any cached lookups (which most OSes and applications have done for eons), local host file records (granted, they could be compromised), and access by direct IP address.

          It's not a half bad idea for systems in hostile environments. The problem is... no firewall in existance can do this out of the box. (it could be rigged up for a few of them.)

      • by Anonymous Coward

        The firewall logs should be checked each day for violations.

        I for one support this statement. It must be checked by a Unionized member of the Cisco Guild. We will have job security forever.

    • Companies need to have two types of networks, one that connects to everything (ie Internet) with the normal security measures. One that connects to nothing outside the company in any way, and does not connect to the other network that connects to everything.

      The internal network should host a minimum set of applications and databases that hold whatever is actually important to secure.

      This doesn't do anything about CEOs who will sell company tech to boost their bonuses but it will make it more difficult for

    • by Dogers (446369)

      My question is why do the client machines (heck, even servers) need direct unfettered internet access? Block everything outbound, use a proxy and you have control of it - especially if you have a proxy that can intercept SSL and runs AV.

      Also, assuming Windows, you can lock down exactly what software is allowed to run. Don't have admin rights? Can't modify what can run, can't install new software, can't run malware.

      Straight away you're far more secure.

  • Not much about RSA (Score:5, Informative)

    by Sarten-X (1102295) on Sunday February 12, 2012 @01:44AM (#39009745) Homepage

    The report details malware that connected to a particular control host, named alyac.org. The host was used in an attack on SK Communications. One particular piece of malware (the Murcy malware the paper describes) is indicated to have been used in the RSA attack.

    The RSA connection is detailed in the paragraph of the report titled "Link To RSA Breach":

    The majority of the known callback domains for Murcy malware were used in the March 2011 RSA breach. This suggests that the attackers responsible for the RSA breach also use the Murcy malware. Given that the malware is reportedly not in widespread use, the Chinese server communicating with ‘path.alyac.org’ may have been compromised by the same attackers responsible for the RSA breach

    There's little else that's really information specifically about the RSA breach. Still a nice bit of information about malware, but it'd be nice if the summary mentioned SK Communications, since that's the paper's real focus.

    • by Anonymous Coward on Sunday February 12, 2012 @02:15AM (#39009815)

      The Murcy malware is apparently also linked by the protocol it uses ('IP2B') to the Night Dragon attacks and a family of malware called the 'Destory RAT'. The shared infrastructure and tools indicate that the same attackers responsible for the SK Communications hack were behind both the RSA hack and Sykipot malware; presumably we can conclude that the description of their "Techniques and Procedures" applies equally to all.

    • by Sulphur (1548251)

      The majority of the known callback domains for Murcy malware were used in the March 2011 RSA
      breach. This suggests that the attackers responsible
      for the RSA breach also use the Murcy malware.
      Given that the malware is reportedly not in
      widespread use, the Chinese server communicating
      with ‘path.alyac.org’ may have been compromised by
      the same attackers responsible for the RSA breach

      A Chinese site hacked, is nothing sacred?

  • Silly q (Score:2, Interesting)

    by AHuxley (892839)
    But what is a "Financial IP address" wrt the chart on page 12? Most of the other data is an ip or domain?
    • by pntkl (2187764)

      But what is a "Financial IP address" wrt the chart on page 12? Most of the other data is an ip or domain?

      From page 16: "... an IP address allocated to a large US financial institution."

      • by AHuxley (892839)
        Yes but what was its role?
        Based on the lines was it watching, been watched, provided cover, been used to move funds, a drop off point for data on the move?
      • If you look at the whois record (http://whois.arin.net/rest/net/NET-75-100-117-112-1/pft), you'll see that it is indeed listed as owned by a financial institution -- at least, in theory. As they pointed out in the article, the attackers registered DNS names using look-alike credentials, so why not do the same with IP blocks? If you look closer at the above whois, you'll notice that ARIN has been unable to contact the Point of Contact who registered the IPs since 2 weeks after they were registered and the em

  • "the compromised computer communicating with âpath.alyac.orgâ(TM) is running Windows 2003 Server Web Edition, Service Pack 2 .. only computers running Windows XP were observed communicating with âpath.alyac.orgâ(TM)". Command and Control in the Fifth Domain [commandfive.com], Feb 2012
    • by Anonymous Coward

      The second statement appears to refer only to 'XShell' communications, when considered as part of the full sentence: "While XShell supports numerous versions of the Windows OS (including Windows XP, Vista, Windows 7, and Windows 2000, 2003 and 2008 server both 32 and 64 bit versions), only computers running Windows XP were observed communicating with 'path.alyac.org'." (p. 4)

      (The 'Windows 2003 Server Web Edition, Service Pack 2' computer was communicating via the 'LURK' protocol - see page 2).

  • by Anonymous Coward

    You can just copy and paste text from the blacked out areas if you want to see it.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Oh really? What does it say? I don't speak 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

  • by sgt scrub (869860) <<moc.oohay> <ta> <muitnias>> on Sunday February 12, 2012 @10:33AM (#39011043)

    IMHO the most important thing in the article is that the malware was digitally signed. This exposes the weakness in digital signatures. Not only for applications and modules(drivers) but UEFI and all of the other "secure boot" ideas.

    • IMHO the most important thing in the article is that the malware was digitally signed. This exposes the weakness in digital signatures. Not only for applications and modules(drivers) but UEFI and all of the other "secure boot" ideas.

      I'd go a bit further in saying that it exposes the weakness ouf using digital signatures period in all applications of it - legal and otherwise.

  • If this was a real reveal, there'd be no blacked out information.

    • by godel_56 (1287256)

      If this was a real reveal, there'd be no blacked out information.

      BTW, amusingly for a security company document, I think the PDF has been improperly redacted. Using Foxit Reader I jumped to the end of the document and then scrolled forward from there. I could briefly read the content of figures 10 and 11 on page 14 with no problem.

      When I reversed direction they were blacked out again, and I have been unable to repeat the trick. From what I read, I don't know why they bothered. Both messages were bland and unconvincing phishing invitations to an unnamed conference, with

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...