RSA Hackers Exploited Zero-Day Flash Vulnerability

Reputed security company RSA said the intrusion incident it suffered last month was the result of a spear phishing attack leveraging a recently patched Adobe Flash vulnerability.

In mid-March, RSA Security, a division of EMC Corp., admitted being the victim of an Advanced Persistent Threat (APT) attack which resulted in sensitive information being stolen from its systems.

The data was related to the company's popular SecurID two-factor authentication product which is used to secure numerous private and governmental networks.

The company noted that while the stolen information can't be used to attack SecurID directly, it can be leveraged to decrease its efficiency.

After the initial public disclosure, the company pretty much kept quiet and refused to answer questions more questions, which attracted a some criticism from the security community.

Gartner VP and distinguished analyst Avivah Litan announced that RSA revealed in a conference call on Friday that a small group of low-profile RSA employees were targeted via emails with a subject of "2011 Recruitment Plan."

The emails had attached an Excel spreadsheet rigged to exploit a recently patched vulnerability in Adobe Flash. Indentified as CVE-2011-0609, the flaw was unknown at the time of the RSA attack, which made it a 0-day.

The malicious XLS file installed a credentials-stealing trojan which helped the attackers move deeper inside the network and target more critical systems. RSA detected the attack with the help of its NetWitness product, however, it wasn't able to stop it before some data was siphoned out.

Mrs. Litan gives the company credit for coming clean immediately after discovering the compromise, but mentioned the inability of its own products to block the attack.

"The irony though with RSA is that they don’t eat their own dog food. In other words, they relied on yesterday’s best of breed tools to prevent and detect the attack.

"They gave a lot of credit to NetWitness for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time, which means the signals and scores weren’t high enough to cause a person to shut down the attack in real time," she said.