RSA SecurID: When Two-Factor Authentication Gets Hacked
A spear-phishing email with an Excel spreadsheet led to theft of RSA's SecurID seed database — compromising the two-factor authentication tokens protecting defence contractors and government agencies worldwide.
Background
RSA Security's SecurID tokens were used by 40 million people to authenticate to sensitive systems. The token generated a 6-digit code every 60 seconds using a secret seed value. If an attacker knew the seed, they could predict the code.
The Attack
Attackers sent spear-phishing emails to small groups of RSA employees with the subject line "2011 Recruitment Plan." The Excel attachment contained an Adobe Flash zero-day exploit (CVE-2011-0609) that installed a RAT (Remote Access Trojan). Attackers escalated privileges, moved laterally to a staging server, and exfiltrated files including portions of the SecurID seed database using FTP through compromised RSA servers.
Response
RSA notified customers immediately upon discovery. The company offered to replace all 40 million tokens but the cost was prohibitive. RSA recommended customers add PIN layers and monitor for anomalous authentication attempts. Lockheed Martin, a major RSA customer and defence contractor, repelled a subsequent breach attempt using the stolen data.
Outcome
The compromise of RSA's most sensitive product — the seed values that make tokens unpredictable — was an unprecedented attack on the authentication supply chain. RSA's parent EMC spent over $66 million on remediation. The incident revealed that even security companies are vulnerable to the same attacks they protect others from.
Key Takeaways
- Supply chain attacks against security vendors are high-value targets for nation-state actors
- Spear-phishing with contextually relevant lures bypasses employee vigilance
- Zero-day exploits in common software like Flash can bypass all endpoint controls
- Defence-in-depth must assume that authentication tokens can be compromised