The March breach of Security vendor RSA made headline news, but up to 760 other organizations were also hit at the same time according to a news report from Krebs on Security:
“The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.”
The list includes a who’s who of government, technology and financial institutions. AT&T, Cisco-EU, Ebay, European Space Agency, Facebook, IBM, Intel, the IRS, Microsoft, Novell, Seagate, VMWare, Wells Fargo, Yahoo and hundreds of others.
The article also shows a breakdown of the location of the Command and Control (C&C) servers used in the attack. The majority of the servers were located in China (299), some of the other locations that are interesting are South Korea, Pakistan and Brazil.
So how did the attackers infiltrate some of the top technology organizations of the world?
According to f-secure it all started from a spoofed e-mail from an employment agency. Employees of RSA’s parent company EMC received a targeted e-mail entitled, “2011 Recruitment plan“. The e-mail included an infected XLS spreadsheet that when opened installed the Poison Ivy backdoor program.
The e-mail simply stated, “I forward this file to you for review. Please open and view it“…