Security researchers have finally found the file used to hack RSA's systems, about five months after the EMC-owned security firm was affected by what it describes as an advanced persistent threat attack that compromised its Secure ID security token system. Following the attack, RSA was forced to offer its more than 20,000 customers new SecureID tokens.
Now Mikko Hyppönen, a researcher at F-Secure, says in a post that, together with his colleague Timo Hirvonen, he has found the Outlook message that generated the attacks after an exhaustive search.
Hyppönen says the original email was used to trick an EMC employee into opening an infected spreadsheet.
The message, sent to one EMC employee with a copy to three others, was titled '2011 Recruitment plan' and the content said a document was sent for review, please open and read. Opening that attachment executed a Flash object over Excel that used a vulnerability CVE-2011-0609 to execute code and create a backdoor known as Poison Ivy, before closing Excel, Hyppönen explains.
Poison Ivy then connected to the attack server, allowing the hacker full remote access to the infected computer and all network drives.
Hyppönen's discovery highlights the enormous importance of training staff and the simplicity of social engineering in the security market.
However, it should be noted that although the attack method was simple, the exploit was a very sophisticated Zero Day threat that the company did not have reflected in its patch system.
The so-called 'advanced persistent threat' refer to cyberattacks with an espionage component and that also usually focus on a specific objective.
Author: Rosalia Arroyo
Source: ITespresso.es
Leave your comment