The attackers behind the Adobe hack and breaches against data brokers such as LexisNexis have also been linked to similar intrusions against other unnamed organizations. Security expert Alex Holden, who along with security blogger Brian Krebs uncovered the data lost in the Adobe breach, said those compromised organizations are being notified.

“We don’t want to disclose who they are because they may still be unaware of the incident and may be still vulnerable,” Holden told Threatpost today.

Adobe went public with some details on its breach late yesterday; the company was compromised sometime between July 31 and Aug. 15, and the attack was not discovered by Adobe until Sept. 17. The company disclosed that in addition to the hackers accessing source code for a number of products including Adobe’s ColdFusion Web application server, Acrobat, Publisher and possibly other products, close to three million customer records, including encrypted credit card numbers, were stolen.

“I would characterize the breach as one of the worst in U.S. history,” Holden said, “because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked. This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses.

“This gang is sophisticated and some new things may follow, I’m sure,” Holden said. “The source code leaks and attacks sourced from this situation may be devastating.”

In addition, Holden said this gang has been using ColdFusion exploits in other attacks since the beginning of this year—perhaps back into December—adding that he and Krebs also saw a list of 1.2 million potential .org domains running ColdFusion that the attackers could use as targets stored among the stolen data. Such domain lists are available for sale on the underground, Holden said, though he added he was not certain whether this gang had bought such a service.

“This is just one collection of data,” Holden said. “It’s a huge amount of targets, a huge scale.”

ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software. Attackers were targeting three particular vulnerabilities for ColdFusion 10, 9.02, 9.0.1 and 9.0 for Windows. Hackers were using exploits to bypass authentication schemes in ColdFusion and remotely controlling Web servers running the software. Those vulnerabilities were patched Jan. 15, but organizations may have been slow in patching Internet-facing servers, leaving themselves exposed to attack.

Since then, vulnerabilities were patched in the software in May, after weeks prior cloud-hosting company Linode revealed it was breached by attackers using a ColdFusion zero day, and customer records including payment card information were lost. Previously, on Dec. 11, Adobe patched a sandbox permissions flaw in ColdFusion, weeks after an out-of-band patch resolved a denial-of-service vulnerability.

There’s no indication this string of exploits and publicly reported attacks are related to the Adobe hack. Krebs reported yesterday that Adobe chief security officer Brad Arkin was unsure yet whether the attackers who breached Adobe did so using a ColdFusion exploit, only that they had exploited “some type of out-of-date” software. Similar APT-style attacks begin with a phishing email where legitimate credentials are stolen and used to pivot internally on compromised networks.

In the meantime, Holden said today he was still unsure of whether the attacks on Adobe and the data brokers were a criminal operation or nation-state funded, though the attackers are Russian-speaking, he said. Holden’s company, Hold Security LLC, monitors the hacker underground for such activity, including in this case, communication to and from the gang’s server hosting stolen data.

“The host is still alive; the bad guys are still putting stolen data on it,” Holden said. “We found this is the same gang. The signatures, files and data match between several attacks.”

Holden and Krebs discovered a 40 GB file of stolen data, Krebs reported yesterday, on the same server hosting data stolen from brokers LexisNexis, Dun & Bradstreet and Kroll. Krebs said Web servers at those companies and others had been compromised by an identity theft service known as SSNDOB, and were acting as a botnet since April communicating with its attackers.

Holden, who speaks Russian natively, said Krebs brought him in at that point to help with the investigation; the two had collaborated on other breach investigations, Holden said. Currently, Holden said, he is trying ascertain whether other Adobe products are affected in the breach and whether the hackers got in just once or multiple times. They are also cooperating with Adobe, which continues its internal investigation into how it was breached, the means by which the data was exfiltrated.

Adobe recommends that its customers change their Adobe account passwords and that affected customers will be offered a year’s worth of free credit monitoring.

Categories: Data Breaches

Comments (4)

  1. Rick Vidallon
    1

    Well I guess there just might be a future for the rolodex, typewriter and carbon paper after all.

  2. Bob
    3

    The only Adobe product I still use is Flash Player and I wish ZI could get rid of that too. I gave up on Reader several years back when it was obvious that Adobe could not clean up its act and protect its products. Now it seems that they cannot even protect their company and the user data entrusted to them. They should put some serious effort into fixing their products or the whole company will go the same way as the dinosaur.

  3. Phil Too
    4

    How is it that Adobe’s position in the marketplace so entrenched that it can survive not only the outrage at the subscription based business model but also the shocking failures in their security after being forced to admit they had lost the user account passwords and associated (encrypted) credit card details of 3 million users, they then went on to grudgingly admit the number was closer to 38 million and now they are equally dismissive and patronising about the claim that the true figure is closer to 152 million user accounts and details.

    Adobe hack exposed 152 million accounts; company refutesTechie News
    http://www.techienews.co.uk/972837/adobe-hack-exposed-152-million-accounts-company-refutes/

    I say grudgingly admit, because until Krebs made the information public Adobe claimed they were unaware which is bad enough, then that they were aware but did not inform users, which is worse.

    Either way its not good enough, how long can it be before the CC/Subscription model is hacked again and users are locked out of both their applications and data?

    Adobe cannot state that it will never happen, no company could do that. Maybe when or if it happens we shall see a fall in the Adobe share price.

    Perhaps Adobe could spend more time and money on its product, support and users than on the PR management of a security disaster.

Comments are closed.