The RSA breach resulted from a targeted phishing attack that used a Flash object embedded in an Excel file, according to a blog post by Uri Rivner, RSA's head of new technologies, consumer identity protection.
The attacker sent two different phishing emails to two groups of RSA employees over a two-day period. The email was crafted to trick one employee into retrieving it from the Junk mail folder and opening the attached Excel file, which was titled 2011 Recruitment Plan, Rivner explained.
The spreadsheet contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability (CV-2011-0609), which was patched last month.
Once inside the network, the attacker used a variant of the Poison Ivy remote administration tool to carry out privilege elevation attacks in order to jump from lower access accounts to higher access administrator accounts. Eventually, the hacker gained access to the key high-value targets that included process experts and IT and non-IT specific server administrators.
“The attacker…established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction”, Rivner explained.
“The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack”, he concluded.
While detailed in its description of the how the attack occurred, Rivner’s blog is lacking in information on what was taken. As Infosecurity reported when the breach was announced, SecureID customers want to know what information was extracted from RSA’s servers, particularly whether the highly sensitive seed record database was breached.