Is this the phishing email that caused the RSA breach?
Posted on 26 August 2011.
"I forward this file to you for review. Please open and view it," says simply the email that is thought to have been the means of deploying the backdoor that resulted in the massive RSA breach in March.

Using a few of the details shared about it - namely, that the email contained an attachment called 2011 Recruitment plan.xls, and "2011 Recruitment Plan" in the subject line - F-Secure researcher Timo Hirvonen burrowed for months in the malware database shared by Virus Total with security companies, in the hopes that the attached file was uploaded for a check by someone.

As it turns out, both the email and the attachment were uploaded. Here is how it looks like (click on the screenshot to enlarge it):


With a "From" email address spoofed to look like it was coming from the web master of recruiting website Beyond.com, it was sent to an EMC employee and CC'd to three others on the 3rd of March.

The attached Excel spreadsheet contained a Flash object that was executed by Excel and took advantage of a vulnerability to install the Poison Ivy backdoor on the victim's computer.

The backdoor then proceeded to contact a server from which the attacker was able to access remotely the workstation and other network drives, and from that, to the rest of the network.

"The attack email does not look too complicated," points out F-Secure. "In fact, it's very simple. However, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems."

According to Computerworld, RSA was contacted but has not confirmed that the found email is one of the two that wreaked such havoc in the company.






Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //