RSA hack exploited Flash vulnerability

By Kevin McCaney

Connecting state and local government leaders

| April 4, 2011

The attack took the form of two spear phishing e-mails to small groups of RSA employees, and used a bit of social engineering to trick one employee into clicking a link in an Excel spreadsheet.

The hack last month that compromised RSA’s SecurID product resulted from a targeted advanced persistent threat that took advantage of a zero-day vulnerability in the Adobe Flash Player, the company confirmed.

The attack took the form of two spear phishing e-mails sent over two days to two small groups of RSA employees. The ploy used a bit of social engineering to get one of the employees to click on a link in the e-mail, according to a blog post by Uri Rivner, RSA’s head of new technologies, consumer identity protection. The employees targeted were not high-profile and wouldn’t be considered high-value targets, he wrote.

The e-mail’s subject line read “2011 Recruitment Plan,” Rivner wrote, and “the e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file.”

Advanced persistent threats are a new way of life

The spreadsheet, titled “2011 Recruitment plan.xls,” contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability, he wrote. Adobe has since released a patch for the vulnerability.

The attack harvested information about RSA’s SecurID, a two-factor authentication token used to secure such activities as banking transactions and network access.

Rivner, in his extensive blog post, points out that the attack was detected in progress by RSA’s computer incident response team for SecurID — a fairly rare occurrence for attacks of this kind, which can go undetected for months. RSA has said that, although some information was gathered, a direct attack on any SecurID customer was unlikely.

The company did advise customers to take steps to ensure that their information was secure.

Advanced persistent threats are an increasingly common type of attack that arrive in small doses and seek to quietly infiltrate system defenses, as opposed to widespread infections that attract attention. They can come in many forms — a phishing e-mail is just one way — and rather than disrupting a system, hide out while gathering information.

“The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry,” Rivner wrote. “Unofficial tallies number dozens of mega corporations attacked. These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in.”

River wrote that the RSA attack typified how an APT can work.

“The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite,” he wrote. “With that in hand they then send that user a spear phishing e-mail. Often the e-mail uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.”

Rivner concluded with a warning that the wave of APTs will only get bigger. “What we’re witnessing now are the early days,” he wrote. “It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.’

NEXT STORY: 'Minority Report' technology is just a game -- for now

This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. / Do Not Sell My Personal Information

Accept Cookies