Gang Behind Adobe Hack Hit Other Unnamed Companies

An expert involved in the investigation into the Adobe hack said it could be one of the worst breaches in U.S. history.

The attackers behind the Adobe hack and breaches against data brokers such as LexisNexis have also been linked to similar intrusions against other unnamed organizations. Security expert Alex Holden, who along with security blogger Brian Krebs uncovered the data lost in the Adobe breach, said those compromised organizations are being notified.

“We don’t want to disclose who they are because they may still be unaware of the incident and may be still vulnerable,” Holden told Threatpost today.

Adobe went public with some details on its breach late yesterday; the company was compromised sometime between July 31 and Aug. 15, and the attack was not discovered by Adobe until Sept. 17. The company disclosed that in addition to the hackers accessing source code for a number of products including Adobe’s ColdFusion Web application server, Acrobat, Publisher and possibly other products, close to three million customer records, including encrypted credit card numbers, were stolen.

“I would characterize the breach as one of the worst in U.S. history,” Holden said, “because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked. This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses.

“This gang is sophisticated and some new things may follow, I’m sure,” Holden said. “The source code leaks and attacks sourced from this situation may be devastating.”

In addition, Holden said this gang has been using ColdFusion exploits in other attacks since the beginning of this year—perhaps back into December—adding that he and Krebs also saw a list of 1.2 million potential .org domains running ColdFusion that the attackers could use as targets stored among the stolen data. Such domain lists are available for sale on the underground, Holden said, though he added he was not certain whether this gang had bought such a service.

“This is just one collection of data,” Holden said. “It’s a huge amount of targets, a huge scale.”

ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software. Attackers were targeting three particular vulnerabilities for ColdFusion 10, 9.02, 9.0.1 and 9.0 for Windows. Hackers were using exploits to bypass authentication schemes in ColdFusion and remotely controlling Web servers running the software. Those vulnerabilities were patched Jan. 15, but organizations may have been slow in patching Internet-facing servers, leaving themselves exposed to attack.

Since then, vulnerabilities were patched in the software in May, after weeks prior cloud-hosting company Linode revealed it was breached by attackers using a ColdFusion zero day, and customer records including payment card information were lost. Previously, on Dec. 11, Adobe patched a sandbox permissions flaw in ColdFusion, weeks after an out-of-band patch resolved a denial-of-service vulnerability.

There’s no indication this string of exploits and publicly reported attacks are related to the Adobe hack. Krebs reported yesterday that Adobe chief security officer Brad Arkin was unsure yet whether the attackers who breached Adobe did so using a ColdFusion exploit, only that they had exploited “some type of out-of-date” software. Similar APT-style attacks begin with a phishing email where legitimate credentials are stolen and used to pivot internally on compromised networks.

In the meantime, Holden said today he was still unsure of whether the attacks on Adobe and the data brokers were a criminal operation or nation-state funded, though the attackers are Russian-speaking, he said. Holden’s company, Hold Security LLC, monitors the hacker underground for such activity, including in this case, communication to and from the gang’s server hosting stolen data.

“The host is still alive; the bad guys are still putting stolen data on it,” Holden said. “We found this is the same gang. The signatures, files and data match between several attacks.”

Holden and Krebs discovered a 40 GB file of stolen data, Krebs reported yesterday, on the same server hosting data stolen from brokers LexisNexis, Dun & Bradstreet and Kroll. Krebs said Web servers at those companies and others had been compromised by an identity theft service known as SSNDOB, and were acting as a botnet since April communicating with its attackers.

Holden, who speaks Russian natively, said Krebs brought him in at that point to help with the investigation; the two had collaborated on other breach investigations, Holden said. Currently, Holden said, he is trying ascertain whether other Adobe products are affected in the breach and whether the hackers got in just once or multiple times. They are also cooperating with Adobe, which continues its internal investigation into how it was breached, the means by which the data was exfiltrated.

Adobe recommends that its customers change their Adobe account passwords and that affected customers will be offered a year’s worth of free credit monitoring.

Suggested articles