Adobe Customer Security Compromised: 7 Facts

  /     /     /  
Publicated : 22/11/2024   Category : security


Adobe Customer Security Compromised: 7 Facts


Could stolen ColdFusion and Acrobat source code spawn a new generation of zero-day attacks?



Adobe began warning 2.9 million customers Thursday that their Adobe user ID, as well as passwords and credit card numbers -- stored in encrypted format -- were stolen in a series of sophisticated attacks that appear to date from August 2013, if not earlier.
Adobes
breach warning
to customers was preceded by a Wednesday
blog post
, written by Adobe chief security officer Brad Arkin, revealing that Adobe is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products.
What are the precise information security risks associated with the double-barreled theft of both source code and customer information? Here are seven facts:
1. Adobe Suspects One Gang Behind The Breaches
Just what did the Adobe attackers steal? Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems, said Adobes Arkin in the Thursday
security announcement
. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
[ Are free, easy-to-use sites fostering a lazy approach to online security? Read
WordPress Attacks: Time To Wake Up
. ]
Adobe suspects -- but hasnt yet confirmed -- that whoever stole the customer data also stole the source code, and the companys investigators dont currently think that attackers accessed decrypted versions of credit or debit card numbers. We deeply regret that this incident occurred, Arkin said. Were working diligently internally, as well as with external partners and law enforcement, to address the incident.
2. Breach Dates From August 2013 -- Or Earlier
The breach was discovered one week ago, not by Adobe, but rather by security researchers Brian Krebs and Hold Security CISO Alex Holden. [We] discovered a massive 40-GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll, Krebs said in a Thursday
blog post
. The hacking teams server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.
According to Krebs, Adobe has been investigating a potentially broad-ranging breach into its networks since Sept. 17, 2013. In a related
blog post
, Hold Securitys Holden said, It appears that the breach of Adobes data occurred in early August of this year, but it is possible that the breach was ongoing earlier.
3. Customers Dismiss Adobe Email Notification As Spam
Adobe said its reset all affected customers passwords and warned customers who reused the same password on other sites (security tip:
never, ever reuse passwords
) to reset it there as well. Adobe has also shared information with relevant banks about stolen credit and debit card numbers, and Arkin said the company is also offering customers whose credit or debit card information was involved the option of enrolling in a one-year complimentary credit monitoring membership, where available.
Adobe customers have reported receiving emailed notifications about the breach, warning them to monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports. But two different customers who received that email notification -- sent late Thursday, Pacific Time -- separately told
InformationWeek
that theyd initially dismissed the important customer security alert as spam.
4. Criminals Could Find New, Exploitable Vulnerabilities
Beyond the customer data theft worries, the
theft of source code
is also cause for concern, because code-savvy attackers -- or anyone else who subsequently obtains a copy of the code -- might be able to study the code and find previously undetected flaws.
While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes and software vulnerabilities can be used to bypass protections for individual and corporate data, said Hold Securitys Holden. Effectively, this breach may have opened a gateway for new generation of viruses, malware and exploits.
It should go without saying that no software company ever wants to have criminals steal its source code -- it is, after all, the technology company equivalent of losing the Crown Jewels, said Graham Cluley, an independent security researcher, in a
blog post
.
5. Adobe To Enterprises: Lock Down Acrobat, ColdFusion
To date, Adobe said that its seen no new attacks against products for which the source code was stolen. We are not aware of any zero-day exploits targeting any Adobe products, said Adobe CSO Arkin. Regardless, he recommended that all businesses only run supported versions of the software, apply all security updates, and follow in full the security advice detailed in the
Acrobat Enterprise Toolkit
and the
ColdFusion Lockdown Guide
. These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products, he said.
6. Attackers Didnt Hack Into Adobe Using ColdFusion
After Adobe detailed the breach, questions quickly centered on ColdFusion, a rapid Web application development platform that was originally developed by Allaire -- as a way to connect HTML pages to databases -- and subsequently purchased by Adobe in 2005.
Did hackers exploit ColdFusion to gain access to Adobe? If so, that wouldnt be unusual. For example, the July 2013 breach at the Department of Energy that resulted in the theft of information relating to 53,000 past and current federal employees -- including dependents and contractors -- was traced to the agency using an
outdated and unpatched version of ColdFusion
.
But an Adobe official Friday dismissed that possibility. The breach did not involve a CF vulnerability. Investigations are still happening to figure out the attack vector,
tweeted
Rakshith Naresh, Adobes ColdFusion product manager.
7. Bug Hunters Downplay Source Code Value
What might the stolen source code be worth? Adobe Acrobat source code valued at $500k to $30M on black market,
tweeted
attorney Jim Denaro at CipherLaw.
But some security experts have disputed at least the high end of that estimate, noting that the potential payoff to be gained from studying the source code to find new bugs that could be turned into working exploits -- aka
weaponized
and sold for a profit -- wouldnt be worth the initial investment.
You can
fuzz
bugs cheaper, and you can audit cheaper. Its not so valuable,
tweeted
the Bangkok-based vulnerability broker known as the Grugq. It is [definitely] worth more to Adobe than it is to anyone else.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Adobe Customer Security Compromised: 7 Facts