When RSA announced that it had discovered a network infiltration that allowed attackers to gain access to crucial information that could lead to the compromise of SecurID two-factor authentication tokens, it dubbed the attack “extremely sophisticated.” In the wake of the discovery, the speculation was that the attack was an APT (advanced persistent threat). New information, though, suggests that RSA was simply the victim of a common phishing attack exploiting a zero-day flaw in Adobe Flash.
Adobe issued a security advisory on March 14 warning users that a vulnerability had been discovered in Adobe Flash, as well as the authplay.dll function included in Adobe Reader and Adobe Acrobat. The flaw was being exploited in limited attacks which included a malicious Flash (SWF) file embedded within a Microsoft Excel (XLS) file attachment. Apparently, someone within RSA received that email attachment, opened the Excel file, and clicked on the Flash file–compromising his PC and giving the attackers complete access to the system.
Adobe released an update for Flash, Acrobat, and Reader (except for Reader X for Windows because the sandbox security already mitigates the threat) about a week after announcing the zero-day threat. I don’t know if RSA has implemented those updates yet, but hopefully it has.
The lesson here is that even if you are RSA–a company virtually synonymous with security, the namesake of the biggest security conference of the year, provider of two-factor authentication solutions relied on to protect systems and data around the globe–one well-timed social engineering attack, and a little human error is all it takes for an attacker to get inside and gain access to sensitive information.
The bonus lesson is that it is bad PR to call an attack “extremely sophisticated”, and then have to face the embarrassment when it is discovered that it was just an average, ordinary phishing attack–especially for a security company.