In what sounds like a worst-case scenario, Adobe Corp. admitted on Thursday that a massive breach of its corporate network resulted in the theft of information on close to three million customers and source code for two widely-used products: Adobe Acrobat, Acrobat Publisher, Cold Fusion and “other” as-yet undisclosed products.
The news came in a string of announcements late Thursday on Adobe’s corporate blog as well as the news site Krebsonsecurity.com. The revelation came after Brian Krebs, the reporter behind that site, and Alex Holden, the Chief Security Officer of Hold Security, discovered what is described as “a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.”
After being informed of the find, Adobe investigated and acknowledged the theft. In a blog post by Chief Security Officer Brad Arkin, the company said that it “is investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorized third party.”
The company said that it is not aware of any “specific increased risk to customers as a result of this incident,” but the security implications of the leak are profound. Specifically: access to the raw source code for Adobe’s products would allow sophisticated attackers and malware authors to locate and exploit previously unknown (or “zero day”) software vulnerabilities.
“As always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide,” Arkin wrote.
In a separate post, the company provided details on the leak of Adobe customer IDs and encrypted passwords, which is believed to be a part of the same breach. “We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” Arkin wrote. The company does not believe that decrypted credit or debit card numbers were accessed.
In a separate post on its web site, Hold Security said that the breach at Adobe occurred in August of this year, but may be even older. Little is known about the circumstances of the breach, though Krebsonsecurity reported that it appears to be linked to the same group accused of compromising the networks of major data brokers, including LexisNexis, Dunn & Bradstreet and Kroll Background. The same group apparently made off with records on around four million Americans, including prominent politicians and celebrities, selling them on an underground forum:ssndob[dot]ms.
Hold Security said that it was unclear whether the source code had been analyzed by the thieves, but that “it appears that the data was taken and viewed by unauthorized individuals.”Also unclear is the link, if any, to a so-called “advanced persistent threat” (or APT)-style hack of its corporate network in September, 2012. Adobe said that the breach was limited to a single build server and that the attackers did not have access to any of the company’s source code repositories, but the latest revelation is likely to raise questions about whether the company’s assessment of the extent of that breach was accurate.
The breach poses a serious concern to countless businesses and individuals, Hold warned. The theft of the source code could expose “encryption algorithms, other security schemes, and software vulnerabilities (that) can be used to bypass protections for individual and corporate data.”
“Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits,” Hold warned.
“The attack on Adobe definitely sounds like a worst case scenario,” said Marc Maiffret, the Chief Security Officer at BeyondTrust. But he questioned whether the exposure of the source would change much for organizations that use Adobe Acrobat or the company’s other products.
“I do not personally think their source code getting compromised is a huge changer to the threat landscape though. Surely it will lead to new exploits against Adobe products and probably in the form of zeroday. But that really is the threat landscape already as it relates to Adobe,” he said. “There is already such a precedent set for zeroday exploits in their software so you must defend your network with that in mind as a constant really.”
Much depends on what kind of group is behind the hack, Maiffret added. If the attackers were nation-state backed, then attacks leveraging knowledge of the underlying source code might trickle out. However, if the group behind the breach were cyber criminals, there may be a ‘crowdsourcing’ effect, with more eyeballs scrutinizing the code and the quick emergence of new attacks, Maiffret theorized.
For its part, Adobe said that it deeply regretted the breach. To try to respond, the company is resetting customer passwords and will notify customers whose credit and debit card information may have been exposed. Adobe is also working with federal law enforcement and will assist them in their investigation, the company said.