Adobe hackers strike again: PR Newswire grovels to clients after latest hack'n'grab

PR Newswire has been forced to reset its clients' passwords following a security breach linked to the same hackers who smashed into Adobe earlier this month.

The hackers made off with the usernames and encrypted passwords of the marketing and press release distribution service's customers, reports investigative journalist Brian Krebs.

If the passwords were cracked, perhaps by using rainbow tables to look for leaked hashes that corresponded with weak passwords, it might have been possible to upload false earning warnings or similar fake news in order to manipulate stock prices and profit from the resulting confusion.

Thankfully, there is no evidence that anything like this has happened.

Swiped usernames and encrypted passwords from PR Newswire were found on the same internet server that hosted source code stolen from Adobe – evidence that points towards the same hacking group being behind both attacks.

PR Newswire confirmed that the stolen data came from its systems before resetting users passwords and putting out an advisory note about the breach. Exposed data appears to be mainly confined to EMEA customers of the marketing service.

In a statement, PR Newswire said it is “conducting an extensive investigation" into the breach” and promised to bolster security to limit the odds of a repeat of the assault. It said its preliminary investigation suggests that customer payment data was not compromised as a result of the attack, but nonetheless apologised for the whole sorry affair:

We recently learned that a database, which primarily houses access credentials and business contact information for some of our customers in Europe, the Middle East, Africa and India, was compromised. We are conducting an extensive investigation and have notified appropriate law enforcement authorities. Based on our preliminary review, we believe that customer payment data were not compromised.

As a precautionary measure, we have implemented a mandatory password reset for all customers with accounts on this database. As a general practice, we recommend that our customers use strong passwords and regularly update them, not just on PR Newswire but on any website requiring login credentials. From an internal perspective, we continue to implement security improvements and additional protocols to help further protect user portals and customer and proprietary information.

Krebs was helped in his investigation into the PR Newswire breach by Alex Holden, chief information security officer at Hold Security.

“Misleading PR statements on behalf of major companies could disrupt stock markets, injure a company’s reputation, and affect consumers,” Holden told Krebs.

A statement by Hold Security sheds more light on the circumstances of the find of PR Newswire data on the hacked server:

The same group of cyber criminals responsible for LexisNexis, NW3C, and Adobe breaches also had stolen data that belongs to PR Newswire. Partial website source code and configuration data along with a database of PR Newswire customers was found on the same server where Adobe System’s source code was located.

Cleverly disguised as an image, an archive of PR Newswire was found on hackers’ repository server. The database date appears to be from March 8, 2013 but it is unclear yet if the breach had happened at the same time or at a later date as the archive was created on April 22, 2013.

While we are presently unaware of any deviant abuse of the stolen data, this breach casts a number of questions about the intentions of the hackers.

In an update to its statement, Hold Security said that an attack based on ColdFusion exploits was launched against multiple PR Newswire networks on 13 February. The theory is that this might be the attack that resulted in the breach.

This, at the very least, is an interesting coincidence because the (as yet unidentified) hackers behind the Adobe source code heist specialised in targeting vulnerabilities in the ColdFusion web application development platform, according to previous research by Krebs.

The journalists-turned-security investigators have linked the same attackers to hacks against top US data brokers, including LexisNexis and Dun & Bradstreet as well as the the National White Collar Crime Center, a US-based non-profit organisation for the training of cybercrime investigators.

The breach against Adobe's systems compromised the information of 2.9 million customers, as well as allowing unidentified hackers to access the source code of Adobe products including Adobe Acrobat, ColdFusion, ColdFusion Builder, and other unnamed products. Customer names, encrypted credit and debit card numbers, expiration dates, and other information relating to customer orders was all exposed.

Adobe has reset customer passwords as a precaution following the incident and followed up with notice to users, distributed by email.

In the wake of the hack, security firm Trusteer warned that hackers could potentially used the leaked code to develop zero-day exploits, a threat the IBM-owned firm's products are specifically designed to protect against.

"The Adobe network breach puts organizations and users at significant risk," writes Dana Tamir, director of enterprise security at Trusteer. "If the source code for Adobe Reader or other popular Adobe applications was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. You can expect that we will soon have a stream of new, nasty zero-day exploits."

The scenario sketched out by Tamir is certainly not implausible but finding previously unknown vulnerabilities in complex software applications – even given access to the source code – is painstaking, laborious and skilled work. Few have the mindset or patience to carry this out. The hackers behind the breach almost certainly lack the necessary skillset: however, they might sell the source code to someone with the resources to look for security holes, perhaps even an intelligence agency of a nation state.

Previous source code leaks from the likes of Symantec and Cisco did not result in a noticeable increase in the volume of zero-day exploits affecting their products. However ,Adobe's applications are a prime target for hackers so more effort might be put into finding holes in the leaked code than might otherwise be the case. Enterprise security firm Hold Security backs up Trusteer's initial reaction that bad things were likely to flow out of the Adobe source code leak:

"Source code leak is THE STORY. It exposes Web Servers and PCs to new exploits," it said in a Twitter update around the time that news of the initial hack of Adobe broke in early October. ®