RSA hackers exploited Flash zero-day bug

Employee who fell for e-mail with rigged Excel doc let hackers inside network

Last month's hack of RSA Security began with an exploit of a then-unpatched vulnerability in Adobe Flash Player, the company confirmed Friday.

According to RSA, attackers gained access to its network by sending two small groups of employees e-mails with attached Excel spreadsheets. One of those employees opened the attachment, which was titled "2011 Recruitment plan.xls."

The spreadsheet contained an embedded Flash file that exploited a "zero-day" vulnerability -- a bug then unknown to Adobe, and thus unpatched -- that allowed hackers to commandeer the employee's PC.

From there, the attackers installed a customized variant of the Poison Ivy remote administration tool (RAT) on the compromised computer. Using the RAT, hackers harvested users' credentials to access other machines within the RSA network, searched for and copied sensitive information, and then transferred the data to external servers they controlled.

Although RSA has not detailed what was stolen, it has admitted that information related to the company's SecurID two-factor authentication products was part of the hacker's haul.

Last week's description of the Flash attack vector helps explain the reaction of Adobe and others to the flaw, and shows that RSA was hacked at least several days before the company went public.

RSA first reported the attack and the data theft late on Thursday, March 17.

Three days before that, however, Adobe had issued a security advisory acknowledging that attackers were exploiting an unpatched bug in Flash Player using tricked-out Excel documents.

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an e-mail attachment," Adobe said in the March 14 advisory.

At the time, Adobe did not name RSA as the target of the ongoing attacks.

But Adobe did promise to patch the Flash vulnerability the next week, a promise it kept when it shipped an "out-of-cycle" update of the popular media player seven days later, on Monday, March 21.

Adobe has delivered emergency patches for Flash before. In 2010, for instance, it rushed out fixes three times, one in only six days, the other two times in seven days each.

In hindsight, the seriousness of the Flash vulnerability should have been apparent. On March 17, Microsoft told Office users to protect themselves by running an advanced configuration tool.

Microsoft made those recommendations several hours before RSA's top executive admitted that his company's network had been breached.

The RSA employee who opened the attack Excel file must have been using a version of Office earlier than Office 2010. In a March 17 blog post, a manager and security engineer with the Microsoft Security Response Center (MSRC) said that Excel 2010 was not susceptible to the attacks then circulating.

Excel 2010 automatically enables DEP (data execution prevention), a key Windows anti-exploit technology, and also isolates malicious files inside Office 2010's "Protected View," a "sandbox" that prevents attack code from escaping the application.

Older versions of Excel, including those in Office 2003 and Office 2007, were not protected by DEP or Protected View, said Microsoft.

While RSA has characterized the attack as an "advanced persistent threat," or APT -- an oft-used label for slow, stealthy attacks, typically attributed to Chinese hackers -- some security experts seemed to see it as just ordinary.

"2 emails and a Adobe Flash 0-day and you too can be an APT!" said Jeremiah Grossman, the CTO an WhiteHat Security, on Twitter Friday.

Join the CSO newsletter!

Error: Please check your email address.

Tags rsa securitysecuritySecurity Hardware and Software

More about Adobe SystemsAPTetworkExcelMicrosoftRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts