A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems, a top technologist at the security vendor says in a blog.
An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.
RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. The RSA official says the attacker initially harvested access credentials from the compromised employee and performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.
If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most 'noisy' stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.
While RSA made it clear that certain information was extracted, it's interesting to note that the attack was detected by its Computer Incident Response Team in progress