The infamous breach of RSA, which has basically stuffed up the insecurity outfit’s two-factor authentication SecurID tokens, was a simple phishing expedition.
Apparently, the hacker sent two phishing e-mails over a two-day period with a subject line of “2011 Recruitment Plan.”
The mail ended up in the baskets of two small groups of employees who weren’t considered particularly high-profile or high-value targets.
Writing from his bog Uri Rivner, head of new technologies in consumer identity protection at RSA, said that attached to the e-mails was a poisoned Excel file.
This exploited a hole in Adobe Flash which installed a backdoor that allowed the attacker to take control of the computer, he wrote.
Adobe fixed the vulnerability after the RSA’s announcement but failed to mention to the world that it was used in the RSA attack.
The type of attack RSA was hit with is known as an “Advanced Persistent Threat” (APT). To do this you have to know a lot about the outfit’s operations, network, and employees.
Normally, attackers have months to snuffle around the network, but the RSA stopped this attack early. The attacker managed to “identify and gain access to more strategic users” but only had time to harvest access to some data.
They raised privileges on non-administrative users and then moved on to gain access to key high value targets. Data was copied and moved to servers inside the company where it was compressed, and encrypted and then sent to a server at a hacked hosting provider.
It is still not clear what information was stolen in the raid.