RSA detailing SecurID hack to customers sworn to secrecy


"They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high-value targets, which included process experts and IT and non-IT specific administrators," Rivner writes.

The attacker set up staging servers as "key aggregation points" and "then they went into servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction," according to Rivner's RSA blog."The attacker then used FTP to transfer many password-protected RAR files from the RSA file server to an outside staging area at an external, compromised machine at a hosting provider." The attacker stole away with the files from there.

The Adobe zero-day vulnerability, now patched by Adobe, allowed the attacker to control the victim's machine at RSA and use a variant of a called Poison Ivy to set up a command-and-control system aimed at extricating data.

Sam Curry, chief technology officer, marketing, at RSA, says the NetWitness NextGen security-monitoring product, which RSA has used for three years, was instrumental in detecting the attack in progress. "It helped us to identity it," he says.

Coincidentally, RSA has been in discussions to acquire the company NetWitness, which it did on April 1 and .