RSA hack targeted Flash vulnerability

Summary:The mid-March hack that affected RSA was made possible by an Adobe Flash vulnerability, the computer security company has disclosed.On Friday, Uri Rivner, RSA's head of new technologies for consumer identity protection, detailed the methods used to penetrate RSA.

The mid-March hack that affected RSA was made possible by an Adobe Flash vulnerability, the computer security company has disclosed.

On Friday, Uri Rivner, RSA's head of new technologies for consumer identity protection, detailed the methods used to penetrate RSA. The attack, which RSA disclosed on March, saw hackers steal information about RSA's SecureID authentication tokens, which are used to perform two-factor authentication for users of various networks.

Initially, the attackers targeted two separate groups of employees within RSA with two emails. Rivner noted neither of these two groups were "particularly high profile or high value targets." Each of the emails contained an attached Excel file named "2011 Recruitment Plan" which contained a zero-day exploit that installed a backdoor into the affected systems via an Adobe Flash vulnerability.

Once inside the system, a hard-to-detect remote administration tool named Poison Ivy was installed into at least one machine. From there, the hackers harvested access credentials and performed privilige escalation to ultimately gain access to high value targets, which Rivner said were "process experts and IT and non-IT specific server administrators."

At this point, the attackers gained access to RSA staging servers at crucial network aggregation points. They then moved through the network taking data and transferring it to the internal staging servers for aggregation, compression and encryption.

FTP was subsequently used to transfer password protected RAR files from the RSA file server to an external staging server at a compromised machine within a hosting provider. The files were then pulled from this server by the attacker and the compromised machine was cleaned to remove any traces of the attack.

Three URLS were associated with the attack. These were Good.mincesur.com, up82673.hopto.org and www.cz88.net.

Adobe released a patch for the Flash vulnerability — CVE-2011-0609 — on 14 March.

UK resellers of RSA two-factor authentication products expressed dissatisfaction with RSA's communication policies in the weeks following the attack.

Topics: Storage

About

Jack Clark has spent the past three years writing about the technical and economic principles that are driving the shift to cloud computing. He's visited data centers on two continents, quizzed senior engineers from Google, Intel and Facebook on the technologies they work on and read more technical papers than you care to name on topics f... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.