APT-driven zero-day attacks tapped by RSA hackers says researcher

According to security researcher Brian Krebs, APT-driven zero-day attacks may have been behind the widely-publicised data breach at RSA in March of this year.

The hackers who broke into RSA, he claims, appear to have leveraged some of the very same web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA.

What's more, he says, the assailants moved their operations from those sites very recently, after their locations were revealed in a report published online by the US Computer Emergency Readiness Team (US-CERT) operation.

"In RSA's explanation of the attack, it pointed to three domains that it claimed were used to download malicious software and to siphon sensitive data taken from its internal networks: Good/mincesur.com, up82673/hopto.org and www/cz88.net", says Krebs in his security blog.

"But according to interviews with several security experts who keep a close eye on these domains, the web sites in question weren't merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure", he adds.

Krebs goes on to quote Gunter Ollmann, vice president of research with Damballa, an internet scanning research firm, as saying that his firm has been monitoring the three malicious sites that RSA said were involved in the theft of its intellectual property.

Ollman claims that there are other major firms that have had "extensive communications with those hostile domains during that time", but added that his company is helping the authorities with the investigation.

"There is lots of malware that have relied on those domains for command and control", Ollmann told Krebs. "We know who the victims are, roughly how many devices within those victim organisations were compromised, and are still compromised. RSA was not the only victim of these attacks."

Interestingly, Ollmann stops short of pointing an accusing finger at RSA, but said that, "in this case, the malware and their associated domains were known about for a very long time."

"There is no excuse for organisations not blocking [access to] those sites and communications channels", he added.

Krebs also remains silent on where the fault lies in the RSA hack, but quotes a security expert - speaking on an anonymous basis - as saying that, what people need to understand is that there is a concerted and organised national level strategy being orchestrated against the US and other countries.

"Not many security companies out there are highly focused on this threat. We're at risk of being completely overwhelmed and outmatched [if we don't] work together in a collective defence", he explained. 

What’s Hot on Infosecurity Magazine?