It has emerged that the underlying cause of RSA’s SecurID gaffe was the recently-reported zero-day vulnerability found in Adobe’s Flash Player.
The exploit, which used specially-crafted Flash embedding in Excel spreadsheets, was first reported on March 15 and has since been fixed. RSA was hacked sometime in the first half of March when an employee was successfully spear phished and opened an infected spreadsheet. As soon as the spreadsheet was opened, an advanced persistent threat (APT) — a backdoor Trojan — called Poison Ivy was installed. From there, the attackers basically had free reign of RSA’s internal network, which led to the eventual dissemination of data pertaining to RSA’s two-factor authenticators.
The attack is reminiscent of the APTs used in the China vs. Google attacks from last year — and indeed, Uri Rivner, the head of new technologies at RSA is quick to point out that that other big companies are being attacked, too: “The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked [...] These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in.”
What we’d like to know, though, is whether the attack on RSA was caused by Adobe’s lackadaisical approach to patching Flash — or was it the other way around? Was it the RSA attack that first brought the zero-day vulnerability to Adobe’s attention?