The file that helped hack RSA found

The RSA hack was months ago now, but the file and email which helped compromised the security giant has just been found.

Hacker

F-Secure believes it has discovered the file and the email which helped crack EMC's security arm RSA, in what became one of the most famous hacks in history earlier this year.

Timo Hirvonen, an F-Secure analyst, doggedly pursued the XLS file used to hack RSA even after others had given up the chase. Hirvonen created a tool to analyse samples for a Flash object, which was used to exploit the target's system.

"The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG)," an F-Secure blog read.

"When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3 March, complete with the attachment 2011 Recruitment plan.xls. After five months, we finally had the file. And not only that, we had the original email."

The email which was sent to a single EMC employee, with two others CC'd in, was made to look like it came from Beyond.com, a career network.

The subject line read "2011 Recruitment plan" and the body copy contained just one line: "I forward this file to you for review. Please open and view it."

Once the file was opened the Flash object was executed by Excel, using a vulnerability to write code on the victim's machine and then drop a Poison Ivy backdoor to the system. Excel is then closed automatically and the infection is done.

What we think...

It's clear the email which duped EMC was pretty simple. Certainly it would be unadvisable to trust an email which contains just a single line.

This only emphasises the need for further education amongst workforces about spear phishing. It seems even workers at security firms aren't getting the message, which would be laughable if the connotations of the RSA hack weren't so serious.

Tom Brewster, Senior Staff Writer

"After this, Poison Ivy connects back to it's server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time," F-Secure said.

"Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for."

As F-Secure noted, the attack itself did not appear to be hugely sophisticated, although as the vulnerability was a zero-day there was no way RSA could have protected itself by patching.

"Was this an advanced attack? The email wasn't advanced. The backdoor they dropped wasn't advanced. But the exploit was advanced," F-Secure added.

"And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated."

The hackers who went after RSA wanted the company's SecureID information so they could hit US Government contractors, including Lockheed Martin.

Following the Lockheed attacks, RSA offered token replacement for customers "with concentrated user bases typically focused on protecting intellectual property and corporate networks."

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Russian spy chief rebuffs “pathetic” SolarWinds hack accusations
cyber attacks

Russian spy chief rebuffs “pathetic” SolarWinds hack accusations

18 May 2021
Data breaches increase by a third as staff continue to work from home
cyber security

Data breaches increase by a third as staff continue to work from home

17 May 2021
What is phishing?
phishing

What is phishing?

17 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021