Avivah Litan, an analyst at Gartner Research, revealed in a blog entry Friday that the recent hack of RSA's SecurID system was performed via the recently-revealed 0-Day bug in Adobe's Flash.
As Adobe stated at the time, the attack was performed by means of a Flash object embedded in an Excel (.XLS) file.
"RSA said the attack started with phishing emails sent to small groups of low-profile RSA users (presumably employees)," she wrote. "The emails were surreptitiously titled "2011 Recruitment Plan" and landed in the users' email Junk folders. (At least RSA's SPAM filters were working, even if their social engineering training for employees was not).
"Attached to the mysterious email was an Excel spreadsheet with recently-discovered Adobe Flash zero day flaw CVE 20110609. With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system," Litan added. "The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. RSA saw the attack, using its implementation of NetWitness, and stopped the attack before more damage could be done."
The revelation of an attack on RSA 2 weeks ago provided few details of the attack, but identified the target as the SecurID and indicated that some attacks against it could be eased owing to the breach.
Litan praises RSA's relative openness and the speed with which they disclosed the attack, but concludes that it doesn't speak well of their internal security. The company sells products which are designed to detect attacks such as these, but either they weren't in use internally or—worse—they were and whiffed.
Adobe has since patched the 0-day bug and Microsoft has documented how to stop Office apps from supporting embedded ActiveX objects.
Originally posted to the PCMag.com security blog, Security Watch. This post was edited and supplemented to by Mark Hachman.