The hackers who broke into RSA‘s network to steal proprietary information related to its SecurID tokens used an Adobe Flash zero-day exploit to gain their initial foothold, a Gartner analyst said Friday.
Avivah Litan, vice president and distinguished analyst at Gartner, said in a blog post that the attackers sent low-level RSA employees emails that contained an Excel spreadsheet attachment labeled “2011 Recruitment Plan.”
But the attachment actually contained an exploit for a Flash flaw that was not publicly revealed until March 14, said Litan, who was briefed on the incident Friday as part of an analyst conference call. (That flaw has since been patched).
“With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system,” Litan wrote. “The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider.”
RSA eventually detected the attack “before more damage could be done,” using a product from NetWitness, a network monitoring company, but not before the attackers were able to exfiltrate information related to RSA’s two-factor authentication products, Litan wrote.
RSA President Art Coviello has characterized the attack as an advanced persistent threat, known for its sophistication, stealthiness and financial backing.
In a letter to customers, Coviello said the information obtained by the hackers may teach them how to circumvent SecurID offerings, which include hardware token authenticators, software authenticators, authentication agents and appliances. Millions of companies worldwide use SecurID to protect access to their sensitive assets, such as web servers, email clients and VPNs.
An RSA spokesperson could not immediately be reached for comment on Friday evening.
Ryan Kazanciyan, a principal consultant for Mandiant, an incident response and computer forensic firm, did not comment specifically on the RSA breach. But he told SCMagazineUS.com this week that in most cases of advanced persistent threats, social engineering provides the entry point.
“Users get phished,” he said. “There’s a lot of bases to defend. [But] most organizations are still not postured from a security or architecture standpoint to confine and limit the scale of the breach once an attacker has gained access to the internal network.”
UPDATE: RSA’s Uri Rivner also has released an account of the attack.