Is this the phishing email that caused the RSA breach?
Posted on 26 August 2011.
"I forward this file to you for review. Please open and view it," says simply the email that is thought to have been the means of deploying the backdoor that resulted in the massive RSA breach in March.

Using a few of the details shared about it - namely, that the email contained an attachment called 2011 Recruitment plan.xls, and "2011 Recruitment Plan" in the subject line - F-Secure researcher Timo Hirvonen burrowed for months in the malware database shared by Virus Total with security companies, in the hopes that the attached file was uploaded for a check by someone.

As it turns out, both the email and the attachment were uploaded. Here is how it looks like (click on the screenshot to enlarge it):

With a "From" email address spoofed to look like it was coming from the web master of recruiting website, it was sent to an EMC employee and CC'd to three others on the 3rd of March.

The attached Excel spreadsheet contained a Flash object that was executed by Excel and took advantage of a vulnerability to install the Poison Ivy backdoor on the victim's computer.

The backdoor then proceeded to contact a server from which the attacker was able to access remotely the workstation and other network drives, and from that, to the rest of the network.

"The attack email does not look too complicated," points out F-Secure. "In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems."

According to Computerworld, RSA was contacted but has not confirmed that the found email is one of the two that wreaked such havoc in the company.


Credential manager system used by Cisco, IBM, F5 has been breached

Pearson VUE is part of Pearson, the world's largest learning company. Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Nov 25th