05:15 PM
Connect Directly

Hacking The Adobe Breach

Financially motivated attackers could abuse stolen source code for broader attacks

At first glance, the massive breach at Adobe that was revealed last week doesn't neatly fit the profile of a pure cybercrime attack: Not only did the bad guys steal customer data and payment card information from the software company, but they also nabbed the source code for Adobe's ColdFusion, Acrobat, and Reader software.

It's still unclear just how the attackers got Adobe's customer data and its source code, and what, if anything, they have done to tamper with the source code for fraud purposes. But what is clear is that the attackers either purposely or inadvertently accessed both Adobe's valuable customer financial data and its intellectual property -- netting themselves multiple avenues for making money.

"These guys were financially oriented," says Alex Holden, CISO at Hold Security, who, along with Brian Krebs of KrebsOnSecurity, discovered the 40 gigabytes of Adobe source code on the same server as the stolen data from LexisNexis, Dun & Bradstreet, Kroll, and others. "Whether they had access to the source code first ... it remains to be seen."

Adobe late Thursday revealed that it had suffered massive "sophisticated attacks" on its network that resulted in the theft of sensitive information, including payment card information on 2.9 million customers, as well as of source code for multiple Adobe software products, including Adobe Acrobat, ColdFusion, ColdFusion Builder, and other Adobe software. Brad Arkin, chief security officer of Adobe, said the attacks may be related.

Hold Security's Holden says the attackers appear to have had the stolen data in their possession for at least two months. He says one of his biggest worries is that a zero-day attack may be under way against Adobe applications that hasn't yet been spotted. "They might have attacked high-level targets. That's an extremely disturbing and scary thought," Holden says.

Cybercriminals typically try to quickly cash in on stolen payment card information or user credentials. While the stolen Adobe customer payment card data was encrypted, according to Adobe, it's possible the attackers were able to glean the encryption keys or crack the crypto, depending on its strength and implementation, security experts say.

The attackers could monetize the source code by finding and selling exploits for Adobe apps, for instance, experts say. Or they could just keep the exploits for themselves to use in more widespread future attacks.

"If you're going after Adobe or any company, you're going to go after information you can monetize quickly, but also if you find some really good zero-days in Adobe Reader or ColdFusion, that might just lead to future attacks across several customers," says Benjamin Johnson, CTO of Carbon Black. "Everyone has Adobe ... it's such a huge surface area to target."

Exploit sales are lucrative, to the tune of tens of thousands of dollars for an Adobe app, for example. "The source-code is the money-making stuff -- it helps you find the vulnerabilities in Adobe products. For example, a single zero-day exploit for Adobe Reader can be worth $50,000 in the black market," says Timo Hirvonen, senior researcher at F-Secure.

Leveraging Adobe's source code would provide the attackers with a more efficient way to steal information. "In the past, it was so easy for [cybercriminals] to do spree attacks -- you could get millions of people through phishing and keyloggers," says Dan Hubbard, CTO of OpenDNS. "But now it looks more sophisticated, and they are doing things that are more planned, so instead of going after the client and human element, they are going at some of the weaknesses in the infrastructure and pulling data back and figuring out what to do ... It's definitely an interesting change in operations."

If the worst-case scenario becomes reality and the attackers actually poisoned the Adobe source code and then distributed it to Adobe customers, then the software firm was more of a means to an end for the attackers. "If indeed the source code stolen pertains to ColdFusion and Acrobat, this could leave thousands of Web servers open to at-will compromise and make it easier to compromise end-user systems. This breach is a chilling reminder that all software companies should be on guard, as they, too, could be a stepping stone to other targets," says Chris Petersen, CTO and co-founder of LogRhythm.

[Today's reality that you can't stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them. See CISO Shares Strategies For Surviving The Inevitability Of Attacks .]

It may be some time before the full picture of the Adobe attack emerges -- if it does at all. Security experts say if it indeed took Adobe up to six weeks to notice the attack, the software company is at a disadvantage from the start. "That's a head start the bad guys had," Johnson says. The key is always quick detection to mitigate the damage, experts say.

Bala Venkat, chief marketing officer of application security vendor Cenzic, agrees. "From the investigations underway, it appears this breach at Adobe actually started sometime in August and continued into late September. Such delayed detect and response mechanism is especially alarming. Organizations must ensure a continuous security monitoring process across all of their production applications is in place to detect and report on vulnerabilities real time when a breach occurs. If this policy is enforced with rigor, such breaches could have been contained and the damage minimized much faster and more effectively. “

Another concern is whether the attackers already have made inroads in targeting Adobe's customers. "One of my concerns is the lateral movement within the customer base," Carbon Black's Johnson says, where the attackers already have phished Adobe customers to steal information.

"It's going to be a while until we know the full ramifications of this," he says.

And Adobe is not the last victim of this cybercrime gang: Security experts say to expect further revelations of other organizations that were hit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/15/2013 | 6:47:12 PM
re: Hacking The Adobe Breach
My clients use fingerprinting technology ("AccuMatch DLP - Gtb technologies) with their content aware reverse firewall - which works like a charm. They also have full coverage on those 'unknown' ports, not just SMTP channels, just in case they've "Got Malware, now what??"
User Rank: Strategist
10/8/2013 | 8:50:22 PM
re: Hacking The Adobe Breach
Hi Jeff--Holden wouldn't provide details on what they found besides what was made public previously (Lexis/Nexis, etc.) and now w/Adobe, but he indicated that there were other victims that have yet to be revealed.
User Rank: Apprentice
10/8/2013 | 2:53:04 PM
re: Hacking The Adobe Breach
Can I add that Adobe compounded their lack of security by sending unexpected emails to 3 million people with a request to change their security details by clicking on a link in the same email.

I cannot confirm that anyone has used this fact to try to get login and other information from Adobe users but since support on the Facebook page is basically saying "just click on the link" we have to hope that they will be getting an email with the right link.

If you see nothing wrong in what Adobe has done then you are advised to reset your PayPal Password here.

User Rank: Apprentice
10/8/2013 | 11:07:43 AM
re: Hacking The Adobe Breach
First, than you for covering this story. I'm always amazed at the lack of attention the larger media outlets pay to stories like this. What is puzzling me is what server was the software left on and how did Krebs and Holden find it? Was it open for anyone to view and why was the data not encrypted? Looks like the thieves were as sloppy as Adobe about protecting the source code.
Jeff Jones
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1), (2) salt-ssh, or (3) salt-cloud.

Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.