Flash zero-day, social engineering enable RSA SecurID hack

Share this article:

The hackers who broke into RSA's network to steal proprietary information related to its SecurID tokens used an Adobe Flash zero-day exploit to gain their initial foothold, a Gartner analyst said Friday.

Avivah Litan, vice president and distinguished analyst at Gartner, said in a blog post that the attackers sent low-level RSA employees emails that contained an Excel spreadsheet attachment labeled "2011 Recruitment Plan."

But the attachment actually contained an exploit for a Flash flaw that was not publicly revealed until March 14, said Litan, who was briefed on the incident Friday as part of an analyst conference call. (That flaw has since been patched).

"With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system," Litan wrote. "The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider."

RSA eventually detected the attack "before more damage could be done," using a product from NetWitness, a network monitoring company, but not before the attackers were able to exfiltrate information related to RSA's two-factor authentication products, Litan wrote.

RSA President Art Coviello has characterized the attack as an advanced persistent threat, known for its sophistication, stealthiness and financial backing.

In a letter to customers, Coviello said the information obtained by the hackers may teach them how to circumvent SecurID offerings, which include hardware token authenticators, software authenticators, authentication agents and appliances. Millions of companies worldwide use SecurID to protect access to their sensitive assets, such as web servers, email clients and VPNs.

An RSA spokesperson could not immediately be reached for comment on Friday evening.

Ryan Kazanciyan, a principal consultant for Mandiant, an incident response and computer forensic firm, did not comment specifically on the RSA breach. But he told SCMagazineUS.com this week that in most cases of advanced persistent threats, social engineering provides the entry point.

"Users get phished," he said. "There's a lot of bases to defend. [But] most organizations are still not postured from a security or architecture standpoint to confine and limit the scale of the breach once an attacker has gained access to the internal network."

UPDATE: RSA's Uri Rivner also has released an account of the attack.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.