RSA Hack Analysis: Windows DEP Not Enabled

Tuesday, December 06, 2011



In March of this year, RSA - the security division of EMC - had announced they suffered a breach stemming from a "sophisticated attack" on their network systems.

The attackers targeted proprietary information on RSA's SecurID two-factor authentication systems, a product designed to prevent unauthorized access to enterprise network systems.

Analysts have since debated whether or not the characterization of the attack as being "sophisticated" was accurate or not.

New analysis from researchers at Qualys suggests that the success of the attack may have hinged on RSA's use of the older Windows XP operating system and the failure to enable the DEP (data execution prevention) security option.

"The feeling is the target[ed PC] was running Windows XP SP3... with all the patches," said director of Qualys' vulnerability and malware research Rodrigo Branco.

The attackers had likely surmised that RSA was still using the the old operating system which had been equipped with the DEP option in 2004's Service Pack 2 upgrade, but the feature was not enabled by default.

"This isn't difficult information to get from companies. Programs like browsers leak this information all the time," said Branco.

There is room in the analysis to conclude that the exploit was adapted to target systems running later versions of Windows, but Branco says it is highly unlikely.

"I don't think it was [modified to work on Vista or Windows 7], because apparently the exploit was re-used as is," Branco said.

According to research from F-Secure released in August, the attack was most likely carried out via an email with a short message that included an infected Excel spreadsheet file attachment.

The messages read: "I forward this file to you for review. Please open and view it."

Had DEP been enabled on the targeted systems, it may have prevented the malicious code from executing, thus preventing the systems from being infected.

Timo Hirvonen, an F-Secure antimalware analyst, had found the suspected email among millions of samples that had been submitted to the free file scanning service VirusTotal.

The message had been sent on March 3, but had not been submitted to VirusTotal until two days after the RSA breach was announced.

While few details have ever been released that could give analysts a better understanding of the scope and impact of the breach, the unauthorized access to sensitive material regarding SecurID is known to have had wide spread impact.

RSA's customers include government, military, financial, enterprise, healthcare and insurance companies.

In June, Lockheed disabled their employees remote access privileges while the company reissued new SecurID tokens to all telecommuting workers as well as requiring all employees with network access to change their passwords after detecting unauthorized access attempts.

Shortly after, defense contractor Northrop Grumman also reportedly disabled remote access to company networks, then L-3 Communications reported the company had suffered a network breach stemming from cloned RSA SecurID tokens.

Though RSA has not confirmed details regarding the operating system versions in use during the attack, the company did say they are "generally supportive of this kind of analysis as it can help organizations in their understanding of how advanced threats are carried out so they can better detect and defend against them."


Possibly Related Articles:
RSA malware Windows Operating Systems Exploits Headlines hackers breach SecurID data execution prevention
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.