RSA security lapse led to March hack, says researcher

Exploit targeted Windows XP machines that didn't have DEP switched on

The attack that hacked RSA Security's network earlier this year succeeded because the company failed to take a basic security precaution, a researcher said Monday.

According to Rodrigo Branco, the director of Qualys' vulnerability and malware research labs, the malware targeted the decade-old Windows XP.

"The feeling is the target[ed PC] was running Windows XP SP3 ... with all the patches," said Branco in emailed answers to questions.

The problem, said Branco, is that while Windows XP includes the DEP (data execution prevention) defensive technology -- Microsoft added DEP to XP in 2004 with Service Pack 2 -- it's not switched on by default.

And RSA apparently neglected to turn it on.

Branco based his bet on his investigation into the exploit code that RSA confirmed had been used to break into its network.

That code exploited a then-unpatched vulnerability in Adobe Flash Player -- Adobe quashed the bug Mach 21, four days after RSA acknowledged the attack -- and followed by infecting the target PC with a customized variant of the Poison Ivy remote administration tool (RAT).

Branco eliminated Windows Vista and Windows 7 from the list of targeted operating systems because both enable DEP by default. DEP would have stymied the exploit from executing, he said.

Additionally, the exploit code would not execute on a Windows 7 PC because of changes to the kernel in that edition.

Targeting Windows XP is still a popular pastime for hackers. The "Aurora" campaign that breached Google's network -- and led it to threaten to pull its operations from the People's Republic of China -- and dozens of other Western companies also aimed to subvert Windows XP systems .

Branco believes that the RSA attackers either pegged the security firm as running Windows XP or simply assumed that the company, like many others, still relied on the aged operating system.

"This isn't difficult information to get from companies," said Branco. "Programs like browsers leak this information all the time."

There is an outside chance that the RSA attack did compromise a Windows Vista or Windows 7 machine, Branco said, noting that his research showed the exploit could have been modified to execute on those versions.

But he ultimately rejected that possibility.

"I don't think it was [modified to work on Vista or Windows 7], because apparently the exploit was re-used as is," Branco said, referring to the Flash exploit tucked into an Excel spreadsheet, the identified infection vector for the attack.

RSA could have prevented the expensive breach -- it spent $66 million replacing customers' SecurID tokens -- by either migrating its Windows XP machines to a newer OS, by isolating those XP PCs, or by enabling DEP on them, Branco concluded.

Microsoft implicitly agreed last spring when it said that the Excel-based attack could not have worked on PCs running Office 2010, which automatically enables DEP.

Microsoft also published a security advisory shortly after RSA confirmed the attack, telling users that they could protect their PCs by switching on DEP in older versions of Office using the Enhanced Mitigation Experience Toolkit (EMET).

Instructions for switching on DEP in Windows XP SP2 and SP3 are available on Microsoft's website.

Researchers suspect that the RSA attack originated in China , based on the location of the malware's command-and-control (C&C) servers and other evidence.

RSA did not immediately reply to a request for comment or confirmation of Branco's analysis.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags rsa securityMicrosoftsecurityWindowssoftwareoperating systemsqualys

More about Adobe SystemsAppleetworkExcelGoogleMicrosoftQualysRSAToolkitTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place