It appears that the bad guys who exploited Adobe in August, and stole ColdFusion and Adobe (maybe) source code, as well as millions of credit card numbers, used a well known ColdFusion vulnerability. What seems to have happened is that they were able to exploit an unpatched ColdFusion instance and then follow an attack vector that led them to credit cards and source code. For some of the details on this, see this story by Krebs.
And now it’s time for me to rail, once again, about the need for InfoSec and IT Operations to “do the basics”. C’mon guys, this was your own vulnerability. One you knew about, controlled the source code for, published patches for, etc. And you couldn’t patch it? How many times must the bad guys exploit basics like this, and then follow an internal kill chain to the crown jewels before we get serious about this problem?
This is exactly why I joined CORE Security … to help with this problem. Until these very basic issues are solved, all the advanced security stuff is pointless. CISOs need to stop fretting over BYOD. It’s time for them to get back to patching vulnerabilities and shutting down attack vectors into their networks.