RSA explains itself after attacks

In a post on their company security blog, RSA has given some more details on the attacks they have been victim of in the recent times.

The post which is written by Uri Rivner, RSA’s head of new technologies and consumer identity protection, goes into great details. So if you have a minute to spare, it is well worth the read.

To summarize a bit:

  • Attackers got their hands on specific employees’ publicly available information.
  • Hackers sent specific employees a phishing email, entitled ’2011 Recruitment Plan’ with an Excel spreadsheet attached. The spreadsheet, called ’2011 Recruitment plan.xls’, hid an embedded Flash exploit, which took advantage of Adobe’s zero-day vulnerability: (CVE-2011-0609).
  • A remote administration tool called Poison Ivy RAT variant was downloaded by the Trojan to give the attackers remote control of the computer.
  • The attackers took the access credentials from the compromised victims. The attackers then performed “privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.”
  • The hackers went into the servers of interest, copied data and moved it to internal staging servers. The data was then aggregated, compressed and encrypted for extraction. FTP was used to transfer “many” password-protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider.
  • The files were subsequently pulled by the attackers and removed from the external compromised host to remove any traces of the attack.

Oops :)

Improve our visibility and share this article with your friends !
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • RSS
  • Slashdot
  • Twitter
About Danny Bisaerts

Danny Bisaerts has grown over the past decades from a development background into the world of Information Security and Physical Security. He has spent a lot of time in the world of finance, government, consulting, manufacturing, telecommunications and utilities ...

Danny is currently the editor of www.itsecurity.be. Email : editor@itsecurity.be
LinkedIn : Public Profile