Details of the RSA Hack
We finally have some, even though the company isn't talking:
So just how well crafted was the e-mail that got RSA hacked? Not very, judging by what F-Secure found.
The attackers spoofed the e-mail to make it appear to come from a "web master" at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of text: "I forward this file to you for review. Please open and view it." This was apparently enough to get the intruders the keys to RSAs kingdom.
F-Secure produced a brief video showing what happened if the recipient clicked on the attachment. An Excel spreadsheet opened, which was completely blank except for an "X" that appeared in the first box of the spreadsheet. The "X" was the only visible sign that there was an embedded Flash exploit in the spreadsheet. When the spreadsheet opened, Excel triggered the Flash exploit to activate, which then dropped the backdoor -- in this case a backdoor known as Poison Ivy -- onto the system.
Poison Ivy would then reach out to a command-and-control server that the attackers controlled at good.mincesur.com, a domain that F-Secure says has been used in other espionage attacks, giving the attackers remote access to the infected computer at EMC. From there, they were able to reach the systems and data they were ultimately after.
F-Secure notes that neither the phishing e-mail nor the backdoor it dropped onto systems were advanced, although the zero-day Flash exploit it used to drop the backdoor was advanced.
Posted on August 30, 2011 at 6:25 AM • 42 Comments