The mid-March hack that affected RSA was made possible by an Adobe Flash vulnerability, the computer security company has disclosed.
On Friday, Uri Rivner, RSA's head of new technologies for consumer identity protection, detailed the methods used to penetrate RSA. The attack, which RSA disclosed on March, saw hackers steal information about RSA's SecureID authentication tokens, which are used to perform two-factor authentication for users of various networks.
Initially, the attackers targeted two separate groups of employees within RSA with two emails. Rivner noted neither of these two groups were "particularly high profile or high value targets." Each of the emails contained an attached Excel file named "2011 Recruitment Plan" which contained a zero-day exploit that installed a backdoor into the affected systems via an Adobe Flash vulnerability.
Once inside the system, a hard-to-detect remote administration tool named Poison Ivy was installed into at least one machine. From there, the hackers harvested access credentials and performed privilige escalation to ultimately gain access to high value targets, which Rivner said were "process experts and IT and non-IT specific server administrators."
At this point, the attackers gained access to RSA staging servers at crucial network aggregation points. They then moved through the network taking data and transferring it to the internal staging servers for aggregation, compression and encryption.
FTP was subsequently used to transfer password protected RAR files from the RSA file server to an external staging server at a compromised machine within a hosting provider. The files were then pulled from this server by the attacker and the compromised machine was cleaned to remove any traces of the attack.
Three URLS were associated with the attack. These were Good.mincesur.com, up82673.hopto.org and www.cz88.net.
Adobe released a patch for the Flash vulnerability — CVE-2011-0609 — on 14 March.
UK resellers of RSA two-factor authentication products expressed dissatisfaction with RSA's communication policies in the weeks following the attack.