Advisory Overview
Adobe Creative Cloud is a popular platform for the use of many different Adobe applications and services. Recently, security researchers uncovered a database cache which was not properly secured to prevent access by unauthorized parties. A database cache is a copy of some or all of a production database that is used to provide faster web services and handle additional user load. While password and financial data does not appear to have been housed in this database cache; other information such as email addresses, subscription status, and member ID’s were stored there. This gives a threat actor significant information that can be used to perform a spear-phishing attack. Spear-phishing is a form of phishing that is highly targeted, making the phishing email appear much more legitimate as it contains information about the specific victim that has received it. In this case a spear-phishing email could reference a user’s Adobe Connect member ID and have details like their subscription status along with a request to login to their account to address some concern such as a failed payment. The link to log in goes to a malicious website, where legitimate usernames and passwords are harvested by the threat actor or malware attempts to be downloaded and run. If you receive any emails from Adobe, take extra caution before interacting with or replying to these emails. Reach out to your IT Department and/or Managed Services Provider to review any suspicious emails.
Technical detail and additional information
What is the threat?
Security researchers discovered that subscriber information for Adobe’s Creative Cloud was exposed to the public due to an unencrypted database cache. Although the database storing customer information was secured, the cache of the database was not, revealing customer information to anyone. The information did not consist of any financial information or passwords. However, the information that was in the cache could still be useful to attackers for launching spear-phishing campaigns or other kinds of fraudulent activity.
Why is this noteworthy?
Adobe Cloud is a subscription service that allows users to access a suite of Adobe Products. Some estimates state that approximately 15 million users subscribe to the service. The vulnerability was discovered by a security researcher who had partnered with Comparitech on October 19th and Adobe was quickly notified of the data leak. Adobe responded by taking down the entire database cache; however, the security researches estimate that the information was open for public access for over a week and that there is no way to determine who might have accessed the information, or how much of the cache may have been exfiltrated, during that time.
What is the exposure or risk?
According to Comparitech, the information stored in the database cache consisted of; email addresses, subscription and payment status, member IDs, country, and whether the user was an adobe employee. Even though the data is not considered particularly sensitive, the information that the security researchers found could be used to execute spear-phishing attacks and other scams. The data known to be in the cache could easily be used to create a realistic-looking spear-phishing email by purporting to be about a specific user and identifying them by email address, member ID, and subscription status; then requiring the user visit a link to log in so they can address an account or payment issue. Following the malicious link could expose the user to credential harvesting or malware infection.
What are the recommendations?
Adobe has stated that the environment in question was a prototype platform, and that they have shut down the environment, but it is impossible to say if the information had been viewed by malicious actors before the shutdown. Anyone who is a subscriber to Adobe Cloud could have had their information leaked, therefore, SKOUT recommends that customers stay alert for possible phishing attempts and provide security awareness to its users.
References:
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.