[Infowarrior] - RSA Blames Phishing Attack for March Security Breach

Richard Forno rforno at infowarrior.org
Tue Apr 5 15:10:03 CDT 2011 

(c/o KM)

RSA Blames Phishing Attack for March Security Breach
ARTICLE DATE:  04.05.11
By  Chloe Albanesius
http://www.pcmag.com/print_article2/0,1217,a=262703,00.asp?hidPrint=true

RSA, the security division of EMC, blamed a phishing attack for a recent breach that threatened its SecurID authentication service.

Specifically, a hacker sent two different phishing emails over a two-day period to a small group of RSA employees. The subject line of the emails was "2011 Recruitment Plan" and it included an Excel spreadsheet with the same name.

"The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file," Uri Rivner, head of new technologies, identity protection and verification at RSA, wrote in a Friday blog post.

That spreadsheet, however, contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability, Rivner said. Adobe has since released a patch for the bug.

Last month, RSA sent a letter to customers that warned them of "an extremely sophisticated cyber attack in progress being mounted against RSA." Executive chairman Art Coviello said at the time that the attack was an Advanced Persistent Threat (APT) that resulted in the hackers extracting "certain information" from RSA's systems.

Coviello said the attack did not allow for a direct attack on RSA's SecurID system, but it might be used to "reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," he said.

In his blog post, Rivner said "in our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. Similar techniques were reported in many past APTs, including GhostNet."

Rivner said the focus of an APT is to "use a totally new approach for entering the organization."

"You don't bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees," he wrote.

Rivner then touted the company's detection technology, arguing that "a lot of companies either detected the attacks after months, or didn't detect them at all and learned about it from the government."

Copyright (c) 2011 Ziff Davis Inc. All Rights Reserved.

More information about the Infowarrior mailing list