Attackers Reused Adobe Reader Exploit Code From 2009 In Extremely Targeted Hacks

The targeted attack that exploited a previously unknown vulnerability in Adobe’s Reader application last month was extremely focused on defense industrial base firms, and affected just a handful of systems, according to a company spokesman.

AdobeThe targeted attack that exploited a previously unknown vulnerability in Adobe’s Reader application last month was extremely focused on defense industrial base firms, and affected just a handful of systems, according to a company spokesman.

Fewer than 20 machines, spread across a number of firms in the defense industrial base, were ultimately targeted in the attacks, which took advantage of a previously unknown (“zero day”) vulnerability in Adobe’s Reader and Acrobat software and three year old proof of concept exploit code written by a security researcher, according to Brad Arkin, the Director of Product Security and Privacy at Adobe.

Arkin was speaking before the International Conference on Cyber Security (ICCS) about the process through which software vulnerabilities become tools for cyber criminals. ICCS, in its third year, is a gathering of law enforcement officials and “white hat” hackers that’s sponsored by the FBI and Fordham University.

Adobe first warned customers about the vulnerability on December 6, days after learning about it from multiple customers in the defense industrial base, Arkin said. At that point, corrupted PDF files that exploited the vulnerability were already being sent to targeted e-mail addresses within those organization. But Arkin said the number of victims was very small – fewer than 20 in all, spread across a number of companies.

In the wake of that warning, speculation about the attack turned to defense giant Lockheed Martin, which was credited in the Adobe security bulletin for submitting the report. Adobe has not denied that Lockheed Martin was targeted. 

The vulnerability, identified as CVE-2011-2462, was patched on Tuesday

No phishing expedition or spam campaign, the attack in late November was clearly targeted at defense firms, though its unclear if the attackers had any specific technology in mind, Arkin told Threatpost.

“This was a single team with a single set of targets,” he said.

Subsequent research by Brandon Dixon of 9bplus revealed that the attack used a corrupted PDF targeted at employees of ManTech, a large defense contractor. When opened, the corrupted PDF downloaded the Sykipot Trojan, a known family of malware.

Arkin said that, though sophisticated, the attackers behind the incident weren’t beyond taking some shortcuts in assembling their attack. Citing Dixon’s research, he said that the exploit for the CVE-2011-2642 vulnerability wasn’t written from scratch. Rather, the attackers copy and pasted boilerplate code from a proof of concept exploit created by security researcher Felipe Andreas Manzano back in 2009. Dixon reached that conclusion by analyzing comments in the exploit code and linking it back to Manzano’s published research.

The lesson? Arkin said his company wouldn’t dream of telling independent minded security researchers to keep mum about their discoveries. However, he also thinks that white hat researchers should know that cyber criminals are using publicly disclosed exploit work as “free R&D” to speed their own development process and lower the cost of attacks.

“I think its great when people spend their own time and energy to find bugs and vulnerabilities in software. I would just request that they think about all the possible uses of that information before they publish anything,” Arkin said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

Discussion

  • Anonymous Polar Bear on

    Its fine for Arkin to complain about public disclosure of a zero day exploit but THREE YEARS later he should be apologizing for leaving everyone vulnerable for so long.

  • Anonymous on

    I feel the same way with the above poster... the whole reason we post exploits is so companies will follow security sites and fix the found exploit, not wait three years for something to happen and then patch it. 

  • Anonymous on

    Why follow common sense security practices when it is easier to follow the CompTia model - If no one else finds the hole, it aint broke or, if they haven't developed an acronym for it, it cannot be a hole. 

    Don't be suprised at the finger pointing at researchers.  Some security "Experts" are claiming that open source is BAD because it releases source code into the wild where a black hat hacker can change it for their own purposes.

    Common sense people: Microsoft, Adobe, and many other software companies must be held accountable for the mess instead of pointing fingers at the people who are telling them that they have holes.  Who ever heard of a company that passed their network testing by leaving the network cable unplugged. (Microsoft)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.