Closing the backdoor…
Today Mikko Hypponen from F-Secure announced they had retrieved and analyzed the excel file used to create a backdoor into RSA.
The attacker used a phishing attempt to send an excel file loaded with an embedded flash object to a recipient inside RSA. Once opened, the excel file used an advanced 0-day exploit executed by the embedded Flash object to create backdoor that allows full remote access to the infected workstation.
Certainly this brings up the obvious warnings of not opening strange attachments, etc. However, the reality is that spear phishing attempts work. This wasn’t even a case of a highly sophisticated spear phishing attack (you can see the original email on Mikki’s blog entry listed above). Examples of successful spear phishing, like the IMF breach and the Epsilon breach, highlight that we should not only continue to educate end users to recognize the red flags and the dangers of opening attachments, but be prepared for the inevitable human mistake.
If a user falls prey to a phishing attempt, and a 0-day exploit evades our endpoint security, what can we do?
- In this case, the backdoor opened connections to servers at mincesure.com that have been used in previous espionage attacks. Using an IP reputation list could have detected the initial connection and actions could have been taken to stop it.
- What if they hadn’t used a known IP address? If you can detect the IP address geo-location, you can see the location is Venezuela. Using geo-location could have detected irregular data traffic being sent to a uncommon destination.
- Or what if the location wasn’t interesting? Once the backdoor was established, having a mechanism to recognize which user accounts access files on the workstation could have identified abuse the system or other accounts.
- Maybe the user accounts had permission to the files. In that case it was the sequence of access to the files after the new connection to an unknown location had been created that could have registered that an attack was occurring.
While it’s important to continually educate our end users on attacks they can help prevent, as security professionals we must have safeguards for when mistakes are made. Although the attacks themselves may not be sophisticated, they can still bypass many of our traditional security solutions. However, with behavior analysis and pattern recognition we should be able to detect and prevent these types of breaches.