In an important announcement yesterday, Adobe notified customers that its network had been breached. During this Adobe breach, the attackers illegally accessed information relating to 2.9 million Adobe customers and source code for numerous Adobe products. According to Adobe:
“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates and other information relating to customer orders.”
The announcement doesn’t provide many details, but Adobe Acrobat may have been one of the compromised products, according to Brian Krebs, author of Krebs on Security, who conducted an interview with Adobe’s Chief Security Officer Brad Arkin.
“Arkin said Adobe is still in the process of determining what source code for other products may have been accessed by the attackers and conceded that Adobe Acrobat may have been among the products the bad guys touched,” Krebs wrote.
Risks of the Adobe Breach
The Adobe breach puts organizations and users at significant risk. If the source code for Adobe Reader or other popular Adobe applications was stolen, it means that cyber criminals now have the opportunity to search this code for unknown vulnerabilities and develop malicious code that exploits them. You can expect that we will soon have a stream of new, nasty, zero-day exploits.
Zero-day exploits are used to execute drive-by downloads. They are very effective because security solutions that are designed to detect threats are not yet familiar with these new, never-before-seen threats. Therefore, they do not block them. Since these exploits would be new, there wouldn’t be a patch available, either. Attackers can hide zero-day exploit code within a PDF document or other content such as Flash animations to create weaponized content. Then, a specifically crafted spear-phishing email is used to deliver the weaponized content to the targeted user. When the user opens the attachment or watches the animation, the code exploits the vulnerability to silently download malware on the user’s machine, so the user isn’t aware that this download has happened. But this malware, often a Remote Access Trojan, enables the attacker to access sensitive data or even gain full control over the user’s machine.
In many cases, the targeted user is an employee within a targeted organization. By compromising the user’s machine, the attacker gains a foothold within the targeted organization’s network. From here, the attacker can progress the attack and breach the organization. Since Adobe products are widely used, they have become a popular way to compromise employee endpoints and enable Advanced Packaging Tools and targeted attacks. Since users are accustomed to receiving PDF attachments and Flash movies on a daily basis, the exploitation of vulnerabilities in these applications is highly successful and puts many organizations at risk.
Adobe is planning to release security updates on Tuesday, Oct. 8, 2013. We recommend that users deploy these updates as soon as possible. For organizations concerned about zero-day exploits, we recommend considering the implementation of exploit prevention technologies.