RSA: SecurID Attack Was Phishing Via an Excel Spreadsheet

RSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.

Excel flashRSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.

The much-discussed attack on RSA, which the company revealed last month, resulted in the company warning customers that the security of their SecurID authentication tokens may be reduced. Speculation about the exact nature of the attack has been rampant in the security community ever since the disclosure, and RSA has been quite tight-lipped about the details of the incident.

But on Friday the company briefed analysts about the details of the attack and then published a series of explanatory blog posts that spilled some, but not all, of the specifics about the incident.

“The attacker in this case sent two different phishing emails over a
two-day period. The two emails were sent to two small groups of
employees; you wouldn’t consider these users particularly high profile
or high value targets. The email subject line read ‘2011 Recruitment
Plan,” Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack.

“The email was crafted well enough to trick one of the employees to
retrieve it from their Junk mail folder, and open the attached excel
file. It was a spreadsheet titled ‘2011 Recruitment plan.xls.’

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).”

An RSA spokesman confirmed that the blog posts and attack details were authentic.

What Rivner described–and what RSA apparently detailed for industry analysts–is
the textbook definition of a targeted phishing attack. What the
attacker goes after and obtains once inside the compromised network
largely depends on which user he was able to fool and what that victim’s
access rights and position in the organization are.

The malware that the attacker installed was a variant of the well-known Poison Ivy remote administration tool, which then connected to a remote machine. Rivner, as well as other RSA employees in their own posts, discussed the attack as an example of an APT (advanced persistent threat), although the method was essentially a spear phishing attack. The emails were sent to what Rivner said was a small group of RSA employees, at least one of whom pulled the message out of a spam folder, opened it and then opened the malicious attachment.

“Having set remote access, now the attacker in a typical APT starts
digital shoulder surfing to establish the employee’s role and their
level of access. If this isn’t sufficient for the attackers’ purpose,
they will seek user accounts with better, more relevant, privileges,” Rivner said.

“When it comes to APTs it is not about how good you are once inside,
but that you use a totally new approach for entering the organization. 
You don’t bother to just simply hack the organization and its
infrastructure; you focus much more of your attention on hacking the

The description of the attacker’s tactics once inside RSA’s network is quite similar to what security researchers say are common techniques used to obtain, package up and exfiltrate sensitive data.

“The attacker first harvested access credentials from the compromised
users (user, domain admin, and service accounts). They performed
privilege escalation on non-administrative users in the targeted
systems, and then moved on to gain access to key high value targets,
which included process experts and IT and Non-IT specific server
administrators,” Rivner said in his description of the attack.

“The attacker in the RSA case established access to staging servers at
key aggregation points; this was done to get ready for extraction. Then
they went into the servers of interest, removed data and moved it to
internal staging servers where the data was aggregated, compressed and
encrypted for extraction. The attacker then used FTP to transfer many password protected RAR
files from the RSA file server to an outside staging server at an
external, compromised machine at a hosting provider. The files were
subsequently pulled by the attacker and removed from the external
compromised host to remove any traces of the attack.”

Suggested articles


  • David on

    When the person was fooled into opening the attached file would it have made any difference(assuming they were running Windows XP) as to whether they were logged on with a limited account as opposed to an Administrator account?

  • Anonymous on

    @David, yes it would make a difference.

  • david on

    david, yes and no.. once the attacker is on that first system, they can wait days or weeks for the ideal moment which will eventually come.. internal office networks are a security nightmare.. an open file share here.. cached admin credentials there.. a still functional windows 2000 box or two.. it doesnt take much to turn a small compromise into a full compromise..

  • Anonymous on

    Aint Flash Great? I wish that Adobe would fix the security nightmare that is flash.

  • Anonymous on

    This attack clearly may have resulted in a cascade failure, i.e. one or more previously identified high-value targets compromised within seconds or minutes of extraction of the data.

  • Owen Davies on

    Compromising an office windows machine is not difficult, what is interesting is how they then managed to escalate that to a level to be able to compromise servers. A decent architecture is usually run in a way where you amuse the office computers are compromised, and have your servers on a separate network with different login credentials.

  • paul on

    I wish Adobe would just pull flash.  Its entire life span has proved that its not to be trusted.  Every time Adobe splurt out "its safe, weve done X and Y and sandboxed it" we wait a week and there is a 0 day system access exploit.  Its one peice of software that should be outlawed.

    RSA of all companies should have pounded this type of attack deep into the memories of every employee, completely unexcusable.

    "Do as we say, not as we do"

  • Ron on

    Its entire life span has proved that its not to be trusted.

    How is that different from Windows?

    Its one peice of software that should be outlawed.

    Yes, Windows should be outlawed.

    And people should prove that they are competent to use computers before they are allowed on a network.  (Except who do you trust to create a competent test that doesn't ignore Unix/Linux and how would you then restrict access only to competent users?).

  • durka on

    so if the attacker was using compressed and passworded rar files for ex filtration objectives in the rsa attack, my question is why hasn't the company implemented their own DLP solution to stop such items from leaving their own netw

  • terry on

    I think there is a slight difference between an OS of several gigabytes in size when compared to a 400kb application that demands access beyond what it needs, none.

  • Anonymous on

    Seriously?  NetWitness?  NetWitness did absolutely nothing in this situation, and proved worthless for RSA Security.

  • Jonas on

    I'm sure flash is an essential application at a security company such as RSA. I'm glad they take IT security so seriously.

  • philA on

    If do right, Daniel-san, there is no can do defense.


  • Francis Turner on

    Checking on the domains that Uri Rivner reports in his blog post, it looks like RSA could have identified the attack a lot quicker if they had used our IP reputation service. I explain some of this in my blog post -

  • Anonymous on

    Attack the weakest link, PICNIC ! To be fair, why is any employee using flash ? Youtube IS NOT WORK RELATED ! Boucing Bunnies IS NOT WORK RELATED ! Why would any employer allow employees to use it, workers are there to work not waste time.

  • Mememe on

    Sometimes, flash is even required. I don't agree with it, but that's how it is. Some webapps work with Flash. And I don't mean a simple dropbox, nope, just have a look at Hitachi's new Command Suite. It's 95% flash with some java thrown in.

    It's not because you have Flash that it means you watch YT videos. YT would probably have been blocked anyway ;)

  • Anonymous on

    So there wasn't any breach in RSA ?! A PR stunt to justify buying NetWitness? Or pushing Envision product line perhaps.

  • ninamcmr1 on

    I don't want to say right now
  • louisco2a on

    I don't want to say right now
  • shawnropn on

    I don't want to say right now

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.