A then-unpatched vulnerability in Adobe Flash Player helped lead to the RSA Security exploit that occurred late last month.
Attackers gained access to the RSA network by sending two small groups of RSA employees emails with attached Excel spreadsheets, according to RSA officials. One of those employees opened the attachment, entitled “2011 Recruitment plan.xls.”
The spreadsheet contained an embedded Flash file that exploited a zero-day vulnerability that Adobe did not know about at the time and allowed hackers to take over an employee’s computer.
From there, the attackers installed a customized variant of the Poison Ivy remote administration tool (RAT) on the compromised computer. Using the RAT, hackers harvested users’ credentials to access other machines within the RSA network, searched for and copied sensitive information, and then transferred the data to external servers they controlled.
Although RSA has not detailed what the thieves made off with, it did say information related to the company’s SecurID two-factor authentication products was part of the stolen data.