If you haven’t heard already security buff RSA was hacked through an unpatched exploit in the Adobe Flash Player application. RSA specializes directly in internet technology and business security, with their biggest resource attributed to the SecurID platform. RSA also manages a large “fraud center” which offers leading news and information on protecting both your business and personal lifestyle from serious identity theft.
Adobe Exploit Identified In Microsoft Excel Document
RSA identified in a public statement that the hackers gained access by sending out a batch e-mail to a group of employees that contained attached Microsoft Excel format spreadsheets. The spreadsheet, disguised as a company wide e-mail labeled “2011 Recruitment Plan.xls”, was unfortunately opened by one of the employees. At the time the e-mail was opened, the Excel spreadsheet contained an inclusion known as the “zero-day” exploit, which took advantage of a vulnerability in Adobe’s Flash Player application.
Using a hacker’s version of a remote administration tool (RAT) the deviants then collected important data and information from the employee’s computer (passwords, user-names, sensitive information, etc.) and stored the collected data on an external server they owned and controlled.
Apparently the target of the attack was a series of data files related to RSA’s SecurID application. SecurID uses two-factor authentication support (passwords and pins, and authenticator IDs) to ensure more enhanced system security, which basically makes hacking a system protected with the software an increasingly difficult process. Obviously the hackers were looking to create a more evident strain of exploits and vulnerabilities in the SecurID software with the collected data and information.
How RSA Handled The Adobe Exploit
A week before RSA announced the security problems to the public (Thursday, March 17) Adobe released a public announcement to reveal the exploit.
The Adobe announcement, made on March 14, stated that, “there are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an e-mail attachment.”
On March 14 it was not clearly evident to the public how serious the exploit really was, nor was it evident that RSA had actually been the target.
Adobe promised that it would release a serious update to patch the exploit, and kept it’s word after releasing an “out-of-cycle” unscheduled update on March 21.
Security issues and bugs are more common than the general public would like to think. As nothing in this world is perfect, technology is no exception to the rule. In the case of such an exploit no one is at fault, neither Adobe nor RSA; unless the flaw isn’t patched safely and securely in a timely manner (which it most certainly was).
Interestingly enough on March 17 an MSRC (Microsoft Security Response Center) manager and security engineer announced in a public blog post that Excel 2010 suffered no such security flaws. Excel 2010 uses DEP (Data Execution Protection) to protect the program from external security attacks, which means the RSA employee who opened the excel document was using an outdated version of Excel.
Uri Rivner, head of new technologies for consumer identity protection at RSA spoke for the company on the hacking problem.
“In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. I’ve been talking to many CISOs in corporations that were hit by similar APTs and a lot of companies either detected the attacks after months, or didn’t detect them at all and learned about it from the Government.”
Rivner was supportive of the idea that RSA acted fast to prevent further issues, and also continued to say, “this is not a trivial point: by detecting what is happening early on, RSA was able to respond quickly and engage in immediate countermeasures.”
It does seem however that if RSA had employed proper use of security protocols by keeping all office products recent and up to date, and had also educated their employees a little better- maybe it never would have happened at all. There is a misplaced sense of irony in such a widescale security provider being hacked by such a small exploit.
Adobe Zero Day Exploit
What do you think of the whole ordeal and how RSA handled the situation? Do you believe the semi-successful hacking attempts could have been prevented, if so then how? Please join the discussion and let us know in the dedicated Adobe exploit Forum thread.