Breach, Data Security, Incident Response, TDR

In wake of Adobe breach, attackers may use insight to dig up zero-days

In the aftermath of a major breach at Adobe, which compromised the financial and personal information of millions and left product source code in the hands of saboteurs, security experts warn users to be vigilant moving forward.

While the public learned of the incidents on Wednesday and Thursday via separate announcements, prior to the news getting out, Adobe was approached by security journalist Brian Krebs and Hold Security CISO Alex Holden.

The two told the company of their alarming discovery: A server containing 40 gigabytes of stolen source code, including that of Adobe, had also been used by hackers that breached LexisNexis, commercial data provider Dun & Bradstreet, risk consulting firm Kroll and the National White Collar Crime Center (NW3C).

Adobe has already begun notifying customers that sensitive data was accessed by hackers – including names, encrypted credit and debit card numbers and card expiration dates. In addition, the company began resetting customer passwords, as miscreants obtained an undisclosed number of Adobe customer IDs and encrypted passwords in the breach.

In addition, on Wednesday, Adobe's CSO Brad Arkin revealed in a blog post that the information on a number of company products, including Adobe Acrobat, ColdFusion and ColdFusion Builder, were pilfered by attackers.

Further disclosure by Krebs revealed that Adobe had launched its own investigation on the breach as of Sept. 17; the company also told him that hackers likely accessed the source code around mid-August.

As impacted individuals, and their banks, begin to take precautions to identify or stop fraud, security professionals are also offering words of caution regarding the threat invoked by the source code theft.

On Friday, Alex Holden, who worked alongside Krebs in investigating the Adobe breach, told in an interview that the attackers were a Russian-speaking group whose motivations appear to be primarily financial.

The hackers' communications were in Russian, along with some software and attack tools used by the group, Holden said.

In a Thursday email, Holden further addressed the threat to Adobe customers. “If they are using the ColdFusion web server, they have to verify that it was not exploited already by reviewing logs, and checking for the presence of malicious software,” Holden wrote.

In the Friday follow-up call, he added that the biggest concern was attackers studying the source code to exploit previously unknown vulnerabilities in Adobe products. “The exploitation of vulnerabilities that have yet to be discovered is the main story,” Holden said, later sharing that attackers may be able to exploit Adobe encryption algorithms with the data they've obtained.  

“It's not only their ability to exploit the [stolen customer] data, but, potentially, encryption algorithms that Adobe uses to encrypt their data,” Holden said.

In the past, the attack group has leveraged vulnerabilities in ColdFusion to target organizations it breached, he explained. More details about the attack method used in the Adobe breach have yet to be confirmed by the company.

On Friday, George Tubin, a senior security strategist at endpoint cyber crime prevention firm Trusteer, an IBM company, said in an interview with that, if exploited, ColdFusion, an Adobe platform used to build enterprise-class Java applications, could be used as an entryway to organizations.

“Now that they have access to the source code, they could more easily find vulnerabilities to launch attacks to get malware to devices,” Tubin said.

In the meantime, Adobe is recommending that customers only run supported versions of its software and implement available patches to mitigate attacks. The company has said that it is not aware of any zero-day exploits targeting its products.

An Adobe spokeswoman declined to comment further on the breach, saying in an email that an “investigation is still ongoing.”

In addition to Adobe's efforts, federal law enforcement are also investigating the breach.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.