Slashdot Mirror
Tools, Techniques, Procedures of the RSA Hackers Revealed
An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"
I think everyone is afraid to click on that link.
It was most interesting to see one antivirus lab take months longer than another to detect one of these rootkits -- and that the rootkit may have been out there for months longer than that.
We might be past the useful span of antivirus software at this point. The attacker has always had the upper hand, being able to train malware against existing antivirus software.
One piece of advice in there was to limit internal networks to using internal DNS. But it's smarter to go one step further. By determining which sites employees should visit and distributing a hosts file to all internal computers, a company can avoid the myriad risks of operating a DNS server. Then any outgoing DNS traffic can be detected by a savvy internalnet admin at the firewall, and the offending computers cleaned.
E-mail attachments also continue to be a problem. The secret of the pros is to set up a script in your favorite language to detect e-mails with attachments, and move the attachments from the e-mail to the IT account. Then, once a trained professional examines each attachment, safe files can be copied into the folders of the relevant employees, and an e-mail sent to them to let them know they're in the clear.
While good computer safety is complex, much of it can be automated or outsourced. But thankfully not all of it, am I right guys?
The report details malware that connected to a particular control host, named alyac.org. The host was used in an attack on SK Communications. One particular piece of malware (the Murcy malware the paper describes) is indicated to have been used in the RSA attack.
The RSA connection is detailed in the paragraph of the report titled "Link To RSA Breach":
The majority of the known callback domains for Murcy malware were used in the March 2011 RSA breach. This suggests that the attackers responsible for the RSA breach also use the Murcy malware. Given that the malware is reportedly not in widespread use, the Chinese server communicating with ‘path.alyac.org’ may have been compromised by the same attackers responsible for the RSA breach
There's little else that's really information specifically about the RSA breach. Still a nice bit of information about malware, but it'd be nice if the summary mentioned SK Communications, since that's the paper's real focus.
You do not have a moral or legal right to do absolutely anything you want.
All internal systems should use the internal DNS server.
The firewalls should block any outgoing DNS queries from any systems (except the internal DNS servers).
The firewall logs should be checked each day for violations.
The internal DNS server logs should be checked each day for unusual activity.
Even if you cannot prevent your systems from being compromised you should be looking for the signs that they are compromised.
IMHO the most important thing in the article is that the malware was digitally signed. This exposes the weakness in digital signatures. Not only for applications and modules(drivers) but UEFI and all of the other "secure boot" ideas.
Having to work for a living is the root of all evil.