RSA hack exploited Flash vulnerability
Company official details how the attack on RSA's SecurID product went down
- By Kevin McCaney
- Apr 04, 2011
The hack last month that compromised RSA’s SecurID product resulted from a targeted advanced persistent threat that took advantage of a zero-day vulnerability in the Adobe Flash Player, the company confirmed.
The attack took the form of two spear phishing e-mails sent over two days to two small groups of RSA employees. The ploy used a bit of social engineering to get one of the employees to click on a link in the e-mail, according to a blog post by Uri Rivner, RSA’s head of new technologies, consumer identity protection. The employees targeted were not high-profile and wouldn’t be considered high-value targets, he wrote.
The e-mail’s subject line read “2011 Recruitment Plan,” Rivner wrote, and “the e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file.”
After hack, security of RSA SecurID tokens in the hands of users
Advanced persistent threats are a new way of life
The spreadsheet, titled “2011 Recruitment plan.xls,” contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability, he wrote. Adobe has since released a patch for the vulnerability.
The attack harvested information about RSA’s SecurID, a two-factor authentication token used to secure such activities as banking transactions and network access.
Rivner, in his extensive blog post, points out that the attack was detected in progress by RSA’s computer incident response team for SecurID — a fairly rare occurrence for attacks of this kind, which can go undetected for months. RSA has said that, although some information was gathered, a direct attack on any SecurID customer was unlikely.
The company did advise customers to take steps to ensure that their information was secure.
Advanced persistent threats are an increasingly common type of attack that arrive in small doses and seek to quietly infiltrate system defenses, as opposed to widespread infections that attract attention. They can come in many forms — a phishing e-mail is just one way — and rather than disrupting a system, hide out while gathering information.
“The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry,” Rivner wrote. “Unofficial tallies number dozens of mega corporations attacked. These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in.”
River wrote that the RSA attack typified how an APT can work.
“The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite,” he wrote. “With that in hand they then send that user a spear phishing e-mail. Often the e-mail uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.”
Rivner concluded with a warning that the wave of APTs will only get bigger. “What we’re witnessing now are the early days,” he wrote. “It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.’
Kevin McCaney is a former editor of Defense Systems and GCN.