The targeted attack that exploited a previously unknown vulnerability in Adobe’s Reader application last month was extremely focused on defense industrial base firms, and affected just a handful of systems, according to a company spokesman.
Fewer than 20 machines, spread across a number of firms in the defense industrial base, were ultimately targeted in the attacks, which took advantage of a previously unknown (“zero day”) vulnerability in Adobe’s Reader and Acrobat software and three year old proof of concept exploit code written by a security researcher, according to Brad Arkin, the Director of Product Security and Privacy at Adobe.
Arkin was speaking before the International Conference on Cyber Security (ICCS) about the process through which software vulnerabilities become tools for cyber criminals. ICCS, in its third year, is a gathering of law enforcement officials and “white hat” hackers that’s sponsored by the FBI and Fordham University.
Adobe first warned customers about the vulnerability on December 6, days after learning about it from multiple customers in the defense industrial base, Arkin said. At that point, corrupted PDF files that exploited the vulnerability were already being sent to targeted e-mail addresses within those organization. But Arkin said the number of victims was very small – fewer than 20 in all, spread across a number of companies.
In the wake of that warning, speculation about the attack turned to defense giant Lockheed Martin, which was credited in the Adobe security bulletin for submitting the report. Adobe has not denied that Lockheed Martin was targeted.
No phishing expedition or spam campaign, the attack in late November was clearly targeted at defense firms, though its unclear if the attackers had any specific technology in mind, Arkin told Threatpost.
“This was a single team with a single set of targets,” he said.
Subsequent research by Brandon Dixon of 9bplus revealed that the attack used a corrupted PDF targeted at employees of ManTech, a large defense contractor. When opened, the corrupted PDF downloaded the Sykipot Trojan, a known family of malware.
Arkin said that, though sophisticated, the attackers behind the incident weren’t beyond taking some shortcuts in assembling their attack. Citing Dixon’s research, he said that the exploit for the CVE-2011-2642 vulnerability wasn’t written from scratch. Rather, the attackers copy and pasted boilerplate code from a proof of concept exploit created by security researcher Felipe Andreas Manzano back in 2009. Dixon reached that conclusion by analyzing comments in the exploit code and linking it back to Manzano’s published research.
The lesson? Arkin said his company wouldn’t dream of telling independent minded security researchers to keep mum about their discoveries. However, he also thinks that white hat researchers should know that cyber criminals are using publicly disclosed exploit work as “free R&D” to speed their own development process and lower the cost of attacks.
“I think its great when people spend their own time and energy to find bugs and vulnerabilities in software. I would just request that they think about all the possible uses of that information before they publish anything,” Arkin said.