Is this the phishing email that caused the RSA breach?
Posted on 26 August 2011.
"I forward this file to you for review. Please open and view it," says simply the email that is thought to have been the means of deploying the backdoor that resulted in the massive RSA breach in March.

Using a few of the details shared about it - namely, that the email contained an attachment called 2011 Recruitment plan.xls, and "2011 Recruitment Plan" in the subject line - F-Secure researcher Timo Hirvonen burrowed for months in the malware database shared by Virus Total with security companies, in the hopes that the attached file was uploaded for a check by someone.

As it turns out, both the email and the attachment were uploaded. Here is how it looks like (click on the screenshot to enlarge it):


With a "From" email address spoofed to look like it was coming from the web master of recruiting website Beyond.com, it was sent to an EMC employee and CC'd to three others on the 3rd of March.

The attached Excel spreadsheet contained a Flash object that was executed by Excel and took advantage of a vulnerability to install the Poison Ivy backdoor on the victim's computer.

The backdoor then proceeded to contact a server from which the attacker was able to access remotely the workstation and other network drives, and from that, to the rest of the network.

"The attack email does not look too complicated," points out F-Secure. "In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems."

According to Computerworld, RSA was contacted but has not confirmed that the found email is one of the two that wreaked such havoc in the company.






Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //