Hackers left Adobe source code sitting on unprotected server

library
crime | hacking | security

Adobe’s source code – the code for flagship products behind an über nasty breach the company reported on 3 October – turns out to have been parked on an unprotected hackers’ server, open to the internet, IDG News Service’s Jeremy Kirk reports.

The breach involved 2.9 million encrypted customer credit card records.

(Whatever that means; see Paul Ducklin’s deep dive on what evils the breach might have spawned and what a low-information term “encrypted” actually is.)

Adobe was already looking into the breach when Hold Security’s Deep Web Monitoring Program independently discovered source code for the company’s flagship products – Reader, Publisher and ColdFusion – on the server of a hacker gang.

The hacker gang was previously known for breaching LexisNexis, Kroll, NW3C, and many other sites, as security journalist Brian Krebs reported on 13 September.

Hold Security says it found over 40GB in encrypted archives on the hackers’ server, containing what looked like source code of such products as Adobe Acrobat Reader, Adobe Acrobat Publisher, and the Adobe ColdFusion line of products.

Adobe had already confirmed on 2 October that its source code had, in fact, been breached.

Adobe reset all passwords after it reported on 3 October that customers’ data had been breached and that login and credit card data had probably been stolen.

When it posted about the discovery – also on 3 October – Hold Security said that the breach “poses a serious concern to countless businesses and individuals” and raises the possibility that the disclosure of encryption algorithms, other security schemes and possibility vulnerabilities in the source code might have opened “a gateway for [a] new generation of viruses, malware, and exploits.”

Maybe, maybe not, as Paul Ducklin’s deep dive into the new-gateway premise suggests.

Having the source code might save malicious types some time when it comes to disassembling executable files to find out what they do, particularly with the help of fully commented code, original variable names, and maybe even some helpful notes from programmers, Paul wrote, but gnarly exploits can be found without source code, and holes can gape for a long time before anybody notices, even in open source products.

At any rate, hopefully, given the lack of protection they put on the source code, the hackers who stole Adobe’s code won’t prove to be very adept at exploiting it.

Alex Holden, chief information security officer of Hold Security, told Kirk that the code “was hidden, but it was not cleverly hidden.”

Holden was able to analyze the server’s directory, he said, to find a directory with the abbreviation “ad.” It was filled with “interesting” file names, he told IDG, including encrypted .”rar” and “.zip” files.

In fact, the server was holding data stolen from other companies that have been notified that the gang may have victimized them. The gang was using the server to stash data stolen from the data aggregators – LexisNexis, Dunn Bradstreet, and Kroll Background America, for example.

Kirk reports that the gang speaks Russian, is still active, and hasn’t yet been named.

We may be looking at more announcements coming from the companies whose data was found on the server, Kirk reports, if the companies choose, or are compelled by legal requirement, to do so.