Adobe has confirmed hackers have breached its network, affecting 2.9 million customers, with plastic card details stolen and source code compromised.
The attackers were successful in accessing Adobe’s customers’ personal information, including encrypted payment card details, customer names, encrypted credit and debit card numbers and expiration dates, as well as the source code for numerous Adobe products.
The company claims it does not believe decrypted debit or credit card data was removed from the systems. Adobe is, however, in the process of notifying all affected customers, who will all receive a year of credit monitoring for free, suggesting that the company is perhaps not totally happy that the card breach has been fully contained. At the least it is a clever marketing move by the company to try to reassure customers.
Adobe is also resetting all relevant customer passwords to help prevent any future unauthorised access to Adobe ID accounts, but there is no telling the amount of damage already done. The loss of source code at the firm is also a major blow as it potentially opens up future vulnerabilities open to attack, necessitating a quick update. Indeed, Adobe is planning to release security update tomorrow on 8 October.
Brad Arkin, Adobe's chief security officer, said of the attack: "We deeply regret that this incident occurred. We're working diligently internally, as well as with external partners and law enforcement, to address the incident."
The firm has notified the banks processing the customer transactions so they can work with the payment card companies and card-issuing institutions to help protect customers' accounts.
Reacting to the hack attack against Adobe, Dwayne Melancon, chief technology officer (CTO) of infosec firm, Tripwire, said: "The fact that the breach involves source code for creating web content should be concerning for Adobe and its customers, as it may enable the attackers to tamper with others' production web sites. Fortunately, Adobe has already published security hardening guidelines to help reduce the risk attacks against others. Adobe has also committed to improving its own products' ability to monitor their own integrity to ensure they haven't been altered.
"This breach is rumoured to have been perpetrated by the same attackers that compromised LexisNexis and a number of other organisations, so they likely used the same techniques. That means the attackers planted a rogue executable on the targeted systems and used that to create a command and control channel back to the attackers. These breaches underscore the importance of continuously monitoring your systems for suspicious changes, verifying any unrecognised programs on your systems, and establishing strong foundational controls so you can tell 'good' from 'bad' in your production environment - and to prepare before something bad happens, rather than after the damage has been done. Maintaining a good baseline of known, trusted, and secure system configurations and application binaries is essential in today's environments so you can quickly tell which systems, applications, and components you can trust."
For Tom Cross, director of security research at Lancope, the key lesson to be learnt is to prioritise your response plan: “I think that corporate leaders need to consider how they are going to react when an attack inevitably does happen. Organisations of all kinds experience breaches. What is your company's incident response plan? Are you able to investigate incidents and determine their cause and impact? Do you have a plan for interacting with the public in the event of a breach? Many organisations are woefully unprepared, and that can exacerbate the pain and cost associated with an incident like this."
Adobe’s response seems to have been quite coordinated so far, suggesting they did have a business continuity plan in place. As the cyber-security threat grows, more and more firms must ensure they have such a plan in place. According to Brian Krebs, the ex-Washington Post Security Fix reporter and now author of the KrebsonSecurity blog, the threat is that the Adobe hackers could have hidden zero-day exploit code within a PDF document, or other content like Flash animations, to create weaponised content. “Then a specially crafted spear-phishing email is used to deliver the weaponised content to the targeted user,” he warned. “When the user opens the attachment or watches the animation, the exploit code exploits the vulnerability to silently download malware on the user’s machine. The user isn’t aware that this download has happened. But this malware, often a Remote Access Trojan (RAT), enables the attacker to access sensitive data or even gain full control over the user’s machine.”
Tomorrow’s security update from Adobe on 8 October should help to lock down its code and vulnerabilities further but the damage done in the meantime is hard to estimate and the ambition of the attack, involving 2.9m customers, illustrates the increasing sophistication of cyber-criminals.
The growing threat from cyber-criminals has been illustrated this year by the $6bn Liberty Reserve money laundering scam; the rise of Ripple, Bitcoin and other non-traditional digital currencies; and attacks like the recent one where a Barclays branch IT system was taken over by criminals. The Prism snooping scandal and Edward Snowden’s allegations of NSA monitoring of SWIFT data also show how the cyber-security arena is becoming increasingly contested with technology firms like Adobe and financial institutions like SWIFT and banks increasingly in the cross-fire.
• For more about the world of information security, please read the bobsguide blogger (aka contributing editor) submissions by ISACA’s Allan Boardman. The response to Question 3 in this Q&A Interview with SWIFT CIO, Michael Fish, where he highlights the growing cyber-security threat evident in discussions at the recent Sibos 2013 trade show, should also be of interest.
By Neil Ainger, with additional reporting by Claire Archer.