Could stolen ColdFusion and Acrobat source code spawn a new generation of zero-day attacks?

Mathew J. Schwartz, Contributor

October 4, 2013

6 Min Read

Adobe began warning 2.9 million customers Thursday that their Adobe user ID, as well as passwords and credit card numbers -- stored in encrypted format -- were stolen in a series of "sophisticated attacks" that appear to date from August 2013, if not earlier.

Adobe's breach warning to customers was preceded by a Wednesday blog post, written by Adobe chief security officer Brad Arkin, revealing that Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.

What are the precise information security risks associated with the double-barreled theft of both source code and customer information? Here are seven facts:

1. Adobe Suspects One Gang Behind The Breaches

Just what did the Adobe attackers steal? "Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems," said Adobe's Arkin in the Thursday security announcement. "We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."

[ Are free, easy-to-use sites fostering a lazy approach to online security? Read WordPress Attacks: Time To Wake Up. ]

Adobe suspects -- but hasn't yet confirmed -- that whoever stole the customer data also stole the source code, and the company's investigators don't currently think that attackers accessed decrypted versions of credit or debit card numbers. "We deeply regret that this incident occurred," Arkin said. "We're working diligently internally, as well as with external partners and law enforcement, to address the incident."

2. Breach Dates From August 2013 -- Or Earlier

The breach was discovered one week ago, not by Adobe, but rather by security researchers Brian Krebs and Hold Security CISO Alex Holden. "[We] discovered a massive 40-GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll," Krebs said in a Thursday blog post. "The hacking team's server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat."

According to Krebs, Adobe has been investigating "a potentially broad-ranging breach into its networks" since Sept. 17, 2013. In a related blog post, Hold Security's Holden said, "It appears that the breach of Adobe's data occurred in early August of this year, but it is possible that the breach was ongoing earlier."

3. Customers Dismiss Adobe Email Notification As Spam

Adobe said it's reset all affected customers' passwords and warned customers who reused the same password on other sites (security tip: never, ever reuse passwords) to reset it there as well. Adobe has also shared information with relevant banks about stolen credit and debit card numbers, and Arkin said the company is also offering customers whose credit or debit card information was involved the option of enrolling in a one-year complimentary credit monitoring membership, where available.

Adobe customers have reported receiving emailed notifications about the breach, warning them to "monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports." But two different customers who received that email notification -- sent late Thursday, Pacific Time -- separately told InformationWeek that they'd initially dismissed the "important customer security alert" as spam. 4. Criminals Could Find New, Exploitable Vulnerabilities

Beyond the customer data theft worries, the theft of source code is also cause for concern, because code-savvy attackers -- or anyone else who subsequently obtains a copy of the code -- might be able to study the code and find previously undetected flaws.

"While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes and software vulnerabilities can be used to bypass protections for individual and corporate data," said Hold Security's Holden. "Effectively, this breach may have opened a gateway for new generation of viruses, malware and exploits."

"It should go without saying that no software company ever wants to have criminals steal its source code -- it is, after all, the technology company equivalent of losing the Crown Jewels," said Graham Cluley, an independent security researcher, in a blog post.

5. Adobe To Enterprises: Lock Down Acrobat, ColdFusion

To date, Adobe said that it's seen no new attacks against products for which the source code was stolen. "We are not aware of any zero-day exploits targeting any Adobe products," said Adobe CSO Arkin. Regardless, he recommended that all businesses only run supported versions of the software, apply all security updates, and follow in full the security advice detailed in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. "These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products," he said.

6. Attackers Didn't Hack Into Adobe Using ColdFusion

After Adobe detailed the breach, questions quickly centered on ColdFusion, a rapid Web application development platform that was originally developed by Allaire -- as a way to connect HTML pages to databases -- and subsequently purchased by Adobe in 2005.

Did hackers exploit ColdFusion to gain access to Adobe? If so, that wouldn't be unusual. For example, the July 2013 breach at the Department of Energy that resulted in the theft of information relating to 53,000 past and current federal employees -- including dependents and contractors -- was traced to the agency using an outdated and unpatched version of ColdFusion.

But an Adobe official Friday dismissed that possibility. "The breach did not involve a CF vulnerability. Investigations are still happening to figure out the attack vector," tweeted Rakshith Naresh, Adobe's ColdFusion product manager.

7. Bug Hunters Downplay Source Code Value

What might the stolen source code be worth? "Adobe Acrobat source code valued at $500k to $30M on black market," tweeted attorney Jim Denaro at CipherLaw.

But some security experts have disputed at least the high end of that estimate, noting that the potential payoff to be gained from studying the source code to find new bugs that could be turned into working exploits -- aka "weaponized" and sold for a profit -- wouldn't be worth the initial investment.

"You can fuzz bugs cheaper, and you can audit cheaper. It's not so valuable," tweeted the Bangkok-based vulnerability broker known as the Grugq. "It is [definitely] worth more to Adobe than it is to anyone else."

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights