Trusteer: In an important customer announcement published yesterday, Adobe notified customers that its network had been breached, and the attackers illegally accessed information relating to 2.9 million Adobe customers as well as source code for numerous Adobe products. According to Adobe:
“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”
In addition to customer information, source code of popular Adobe applications has been accessed. The announcement doesn’t provide many details, but according to Brian Krebs, author of KrebsonSecurity, who conducted an interview with Adobe’s Chief Security Officer Brad Arkin, Adobe Acrobat may have been among the compromised products:
“Arkin said Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched.”
The Adobe network breach puts organisations and users at significant risk. If the source code for Adobe Reader or other popular Adobe applications was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. You can expect that we will soon have a stream of new, nasty 0-day exploits.
Zero-day exploits are used for executing drive-by downloads. They are very effective because security solutions that are designed to detect threats are not yet familiar with these new, never-seen-before threats, therefore they do not block them. And since these exploits would be new, there wouldn’t be a patch available either.
Attackers can hide zero-day exploit code within a PDF document, or other content like Flash animations, to create weaponised content. Then a specially crafted spear-phishing email is used to deliver the weaponised content to the targeted user. When the user opens the attachment or watches the animation, the exploit code exploits the vulnerability to silently download malware on the user’s machine. The user isn’t aware that this download has happened. But this malware, often a Remote Access Trojan (RAT), enables the attacker to access sensitive data or even gain full control over the user’s machine.
In many cases, the targeted user is an employee within a targeted organisation. By compromising the user’s machine, the attacker gains a foothold within the targeted organisation’s network. From here, the attacker can progress the attack and breach the organisation. Since Adobe products are widely used, they become a popular way to compromise employee endpoints and enable APTs and targeted attacks. Since users are accustomed to receiving PDF attachments and Flash movies on a daily basis, the exploitation of vulnerabilities in these applications is highly successful and puts many organisations at risk.
Adobe is planning to release security updates on Tuesday, October 8, 2013. We recommend that users deploy these updates as soon as possible. For organisations concerned about zero-day exploits we recommend considering the implementation of exploit prevention technologies.