Purpose

The purpose of this alert update is to raise awareness of recent changes to the security remediation program for the RSA SecurID tokens.

Assessment

RSA recently confirmed that information taken from the March compromise was used in an attempt to compromise U.S. government military contractor systems. As a result, RSA announced it would expand its security remediation program and offer to replace SecurID tokens where the user base is concentrated and typically focused on protecting intellectual property and corporate networks, and offer to implement risk-based authentication strategies where there is a large dispersed user base, typically focused on protecting web-based financial transactions.

The targeting of military contractor systems and the initial RSA report may indicate a high level of technical resources and specific interests of potential attackers. This pattern is increasingly known in the cyber security community as Advanced Persistent Threat (APT). Historically, other reported targets of APT have included:

• high-profile international events participants
  
• legal organizations, namely those involved in international contracts, mergers and acquisitions
  
• organizations involved in international affairs, economics and finance
  
• security and defense organizations
  
• natural resources and energy sector organizations
  
• research and development organizations
  
• information management / information technology organizations
  
• political activist groups

A successful attack against RSA SecurID technology would likely require multiple steps. One such step may involve a socially engineered email aimed at obtaining the user's secret PIN code and token serial number. Such emails typically display the following characteristics:

• socially engineered, well crafted, sometimes leveraging social media information
• sender address spoofed to appear to come from trusted internal email address
• source often uses a real webmail account (e.g., gmail, yahoo, msn), sometimes with a name familiar to the recipient (e.g.. yourboss@*web_mail_provider*.com)
• use of embedded link to a web-hosted .zip file containing an executable file
• extensive use of trojanized Adobe and MS files (e.g., Excel, Word) in email attachments
• subject of email, URL and attachment tailored to the user, or use appealing themes

The SANS project found in reference (http://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf) provides a valuable insight on APT behavior. Such behavior includes the use of Remote Access Tools (RAT) such as Poison Ivy.

Suggested Action

CCIRC recommends that organizations using RSA SecurID products for controlling access to high-value information technology assets consider the following actions in light of their business requirements and infrastructure:

• Follow RSA implementation guidelines for enhanced PIN code complexity policy.
• Implement enhanced security measures, such as raising user awareness, to protect token serial numbers and PINs, since those may be vulnerable to social engineering and phishing attacks.
  
• Evaluate organizational risk in light of available threat, vulnerability, and safeguard information, then implement defence-in-depth principles accordingly.
  
• Where applicable, contact your RSA account representative(s) for additional mitigation information and consideration for possible replacement of existing tokens with replacements created post–April 2011.

References

• http://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf
• http://www.rsa.com/node.aspx?id=3891
• http://blogs.rsa.com/rivner/anatomy-of-an-attack/
• http://www.rsa.com/node.aspx?id=3872
• http://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.pdf

Reporting

Critical Infrastructure operators and governments potentially affected by this alert are encouraged to provide an assessment report to the Government Operations Centre.