RSA Attack: All That Glitters Isn't China

Wednesday, September 07, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

"Intelligence analysts should be self-conscious about their reasoning processes. They should think about how they make judgments and reach conclusions, not just about the judgments and conclusions themselves." Richard J. Heuer

As I performed my analysis of the attack that led to the compromise of the RSA Corporation, I choose to follow the information that was visible to me.

I chose specifically to avoid following the herd an in doing so, I believe it enables me to get a clear picture of what companies and analysts miss when it comes to "defense" whether in depth or not.

From an analytical perspective, it would have been quick and effective to tout the same run of the mill response as other analysts have done in the past: "It was China! I have proof! See the IP." In the end, it is hard to attribute the source of the attack. However, I will stick to my guns and go with an RBN based attacker as opposed to a Chinese APT.

image

Information being what it is, and what it was, let's take a step to the side and observe the following statement: "Well I think someone in high places just kicked China in the financial teeth... This is big it makes China look weak so beware China will strike back soon. We should be ready….." [2]

Statements such as these in relevance to "cyberwarfare" lead to cloudy intelligence. According to the "cyber-expert" on that blog, we are to believe that the attack on the Hong Kong Exchange was possibly retaliation from the United States in response to "Shady Rat" attacks.

An amazing statement to write when no information to support that statement was available. Pure speculation and in the end, the attacker was found in Hong Kong. There was no mystical US Cyber Attack Squad. [3] Was there a follow-up to that initial statement on the "cyberwarfare" blog? No.

This means that anyone reading that page was lead to believe that some grandiose "campaign" occurred or is occurring. This means that anyone who in the future, stumbles upon that blog is led to believe there are all sorts of cyber-counter-cyber-counter-cyber-ad-nauseaum campaigns.

Moving away from that site and comments there, I will now shift to more "satisficing" statements being made by the experts in the industry. "The culprit in the RSA was obviously yuange1975! It is all over his twitter account!" [4] Let us go back to the beginning here, attribution of the RSA and other attacks are being done solely based on IP information alone.

However, there is no mechanism to validate who is behind an address. This is something that ALL network and security engineers know, yet many security professionals want to tweak this information to conform to their analysis.

Let us look at the RSA attack unbiasedly for a moment. We have an "advanced threat" who has compromised a company to extract data. They have successfully gained access to and stolen data from a company. They turn around, brag and taunt [5] us. They have never done so before, but right now, they decide to start using Fast Flux DNS servers, much like those used by RBN spammers.

They also move away from using their "time proven" methods and tools namely, gh0st preferring to use droppers and bloated attack techniques. That makes little sense. Perhaps China is receiving schooling from the RBN and purposely using RBN tactics to deflect attention.

The theme of "China" being behind this attack started from a blog entry by FireEye [6]. In their writing, they use the name of who last saved the file mailed to the victims: Linxder. They then use uber Google searching, to associate that name with someone in China. Perhaps the search yielded the true identity of who sent the file no?

This is no more concrete evidence other than relying on an IP. Who knows, maybe Linxder was selling his exploits on eBay [7]. What state sponsored hacker doesn't sell stuff on eBay. Perhaps he sold the whole RSA attack theme in a bundle to the highest bidder. A++++

So what else did FireEye and others miss? The "fact" - not speculation - that the original exploit DID NOT, and I quote, "affect flash player 10.2.152.33 and earlier versions." Something so simple that was proven in my analysis video that can be seen here. So we have a company (FireEye) that digs out a name, associates that name with a quick Google search, associates an IP with a country and labels it a threat. Compiles a half-checked dynamic malware analysis and calls it a day. Those are the facts according to FireEye and others, here are mine.

Whomever is behind the RSA attack used tactics similar to the RBN and a network known to be used by the Russian Business Network (RBN). In most previous cases of "APT" attacks, the attackers followed a pattern. Usually a compromise followed by exfiltration of data via HTTPS, not UDP ports. In most previous cases of "APT" attacks, the attackers did not use Fast Flux DNS servers.

CONTRADICTORY FACTS ABOUT RSA COMPROMISE

a) In my analysis, Flash versions prior to 10.2.152.33 were not all vulnerable / According to FireEye they were [7]
b) Attackers connected back to a network with known RBN ties / Network happens to be in South Korea part of APNIC (APNIC therefore must be China!)
c) Attackers changed from using tried and true (htran, gh0st) methods to something else
d) Attackers, if related to the Chinese interpretation of APT, first known use of Fast Flux DNS
e) Attackers like to curse in English (see video)

When I state contradictory, I mean it on the face value. Beginning with a), FireEye's write-up occurred within days of the initial exploit. How many versions of Flash player did they test to make their conclusion? Clearly in the RSA video, we see that multiple versions are tried and none are "exploited" with the same consistency that were mentioned/tested by FireEye and others.

In b), the correlation of RBN ties has been documented and proven as well. [8,9,10,11,12]. In c) as a researcher, it is very simple to get samples of malware. For APT related samples, Contagio [13] houses a variety of malware used in APT attacks. None match the modus operandi (MO) of this RSA attack. Same goes for d) and e). New modus operandi for the "Chinese APT?" I think not.

Others also overlooked was the delivery method in the RSA attack. Few have reported that the initial e-mail came from a "trusted" source within their own blocks. By this I mean, according to the e-mail headers, the mail came from within their organization, or someone trusted to relay mail through their network. It is possible that someone compromised a machine from someone in RSA, then escalated the attack from a trusted host.

This is fact, not speculation:

Received: from mail176-tx2 (localhost.localdomain [127.0.0.1]) by mail176-tx2 (MessageSwitch) id 1299170895355519_1400; Thu,  3 Mar 2011 16:48:15 +0000 (UTC)

Received: from mail176-tx2 (localhost.localdomain [127.0.0.1])    by mail176-tx2-R.bigfish.com (Postfix) with ESMTP id A01071BD8396; Thu,  3 Mar 2011 16:48:15 +0000 (UTC)

Received: from mail176-tx2-R.bigfish.com (mail-tx2.bigfish.com [65.55.88.114]) by igwwc.lss.emc.com (Switch-3.4.3/Switch-3.4.3)
with ESMTP id p23GmF5F011742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);    Thu, 3 Mar 2011 08:48:16 -0800

Received: from phlspmx001.Beyond.local ([192.168.1.201]) by phlspmx001.Beyond.local ([192.168.1.201]) with mapi; Thu, 3 Mar 2011 11:48:06 -0500

Received: from mail.beyond.com (216.1.34.194) by TX2EHSMHS032.bigfish.com (10.9.99.132) with Microsoft SMTP Server id 14.1.225.8; Thu, 3 Mar 2011 16:48:06 +0000

Received: from TX2EHSMHS032.bigfish.com (unknown [10.9.14.240]) by mail176-tx2.bigfish.com (Postfix) with ESMTP id 508F11AB0050; Thu,  3 Mar 2011 16:48:15 +0000 (UTC)

Received: from mexforwardwc.lss.emc.com (137.69.224.82) by mxhub11.corp.emc.com (10.254.92.106) with Microsoft SMTP Server id 8.2.254.0; Thu, 3 Mar 2011 11:48:58 -0500

Received: from mailhubwc.lss.emc.com (mailhubscprd01.lss.emc.com [137.69.224.64]) by mexforwardwc.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with
ESMTP id p23Gmuic019054    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);    Thu, 3 Mar 2011 08:48:57 -0800

Received: from igwwc.lss.emc.com (mailigwscprd02.lss.emc.com [137.69.120.131]) by mailhubwc.lss.emc.com (Switch-3.4.3/Switch-3.4.3)
with ESMTP id p23GmoVu006577; Thu, 3 Mar 2011 08:48:52 -0800


From: "web master"

We have no concrete connection to China as being the attacker of RSA outside of an IP address and its association to APNIC, along with a correlation of a name (Linxder) and a Google search of that name. Yet at the same time, we have concrete information about the origination of the domain used in the attack (mincesure.com) and that correlation to RBN networks [8,9,10,11] and tactics known to be used by the RBN.

In closing, we'd like to remind other experts [5] some of whom try to convey as being "in the know", not to overlook their own "known knowns" [14]. Meaning, stop tilting the evidence to their own benefits. 

It is "known" - not assumed - that Russia once set up shop in China for spam [13] and then shifted to using Korean addresses. [7,8,9,10]. These are the known facts brought to light by the same experts who turn around and tweak the same information into whatever is popular at the moment.

Take this write-up it how you'd like. RBN or China, if you ask me, its inconclusive but points more to RBN than APT.

Sources:

[1] https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/PsychofIntelNew.pdf
[2] http://chinacyberwarfare.wordpress.com/2011/08/10/hong-kong-exchange-hit-by-hackers-good-cyber-shot-u-s/
[3] http://www.computerworld.com/s/article/9219372/Hong_Kong_police_say_they_ve_arrested_stock_exchange_hacker
[4] http://krebsonsecurity.com/2011/05/advanced-persistent-tweets-zero-day-in-140-characters/
[5] http://krebsonsecurity.com/2011/03/domains-used-in-rsa-attack-taunted-u-s/
[6] http://blog.fireeye.com/research/2011/03/who-is-exploiting-the-flash-0-day-cve-2011-0609.html
[7] http://myworld.ebay.com/linxder/
[8] http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_4-3-2011.txt
[9] http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_5-9-2011.txt
[10] http://isc.sans.edu/diary.html?storyid=10549&rss
[11] http://www.radioflood.com/detail/21171.html
[12] http://www.eweek.com/c/a/Security/RBN-Gang-Moves-Sets-Up-Shop-in-China/
[13] http://contagiodump.blogspot.com/
[14] http://krebsonsecurity.com/2010/03/spam-site-registrations-flee-china-for-russia/

Possibly Related Articles:
18448
Network->General
Information Security
RSA China Attacks hackers Cyber Warfare Attribution SecurID FireEye
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.