Nation-State Attackers Are Adobe’s Biggest Worry

SAN FRANCISCO–It’s no secret that attackers have made Adobe’s products key targets for the last couple of years, routinely going after bugs in Reader, Flash and Acrobat in targeted attacks and widespread campaigns alike. But it’s not just the rank-and-file bad guys who are making Adobe a priority; it’s more often nation-states, the company’s top security official said.

Adobe SAN FRANCISCO–It’s no secret that attackers have made Adobe’s products key targets for the last couple of years, routinely going after bugs in Reader, Flash and Acrobat in targeted attacks and widespread campaigns alike. But it’s not just the rank-and-file bad guys who are making Adobe a priority; it’s more often nation-states, the company’s top security official said.

Adobe, like many other large software companies, has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Since the company began its software security program several years ago, the sophistication level of the people finding and exploiting new bugs in Flash or Reader has gone up significantly.

Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it’s at a point where the company’s main adversaries are state-sponsored actors.

“In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in his keynote speech at the United Security Summit here Tuesday. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”

Arkin said that when a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.

From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit. But it’s the well-funder and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.

“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it’s a very different cost.”

Perhaps the most famous example of this kind of targeted attack is the one that hit RSA Security earlier this year. In that case, the company was compromised through the use of a phishing email that contained an Excel file with a malicious SWF file embedded inside it. An employee opened the email and then the attachment and the attack was off and running from there. Arkin said that while his team didn’t get a sample of the malicious file from RSA, it did see others from organizations that likely were targeted by the same campaign.

“We have lots of friends in the places where people get attacked a lot and I don’t think that RSA was the only target in that campaign,” he said.

Suggested articles

Discussion

  • Anonymous on

    How is this anything new

  • Anonymouse on

    Adobe's biggest problem is that they cannot read a format, that they invented, with a reader smaller than 65MB. Free readers like Foxit can do it and without the vulnerabilities. Adobe has gone the way of Symantec and has produced software so bloated that even they cannot sort it out.

  • Anonymous on

    One of the reasons Foxit is so small is that it does not always accurately display a pdf. I had to stop using it because of these inaccuracies. It also lacks many of the other features that are provided by Adobe and others. One feature I believe it now has is adware. Note that I don't use Adobe either. I got sick of the constant need for updates and the feeling that I was always vulnerable. Foxit probably also has the vulnerabilities but it doesn't get challenged because the payoff is not there. It's a bit like the Mac. People said it was secure but it seems it now has many holes in the system. The attackers just had not got around to it.

  • Margaret Bartley on

    When you talked about the RSA case, you should have pointed out that holding down the shift key while opening an Excel or Word file will prevent the Autoexec macro from running.  The Autoexec macro is what starts these viruses.

    A simple pointer, every time this virus is mentioned, would go a long ways toward eliminating this very simple way of attacking.

  • Anonymous on

    Adobe is ALWAYS under attack i'm sure i'm not the only one who sees there new patch updates almost EVERYDAY! Nothing new....at all. Adobe is UN-RELIABLE!

  • reb on

    Relative to - Submitted by Margaret Bartley (not verified) on Wed, 09/21/2011 - 3:37pm.

    I am still trying to research this.  If the shift down prevents autoexec (and there are posts that claim it doesn't) I will be passing this on to my organization.

    I was amazed to find that someone thinks this is a security risk!

     

     

     

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.