The same group of cyber criminals responsible for LexisNexis, NW3C, and Adobe breaches also had stolen data that belongs to PR Newswire. Partial website source code and configuration data along with a database of PR Newswire customers was found on the same server where Adobe System’s source code was located.
Cleverly disguised as an image, an archive of PR Newswire was found on hackers’ repository server. The database date appears to be from March 8, 2013 but it is unclear yet if the breach had happened at the same time or at a later date as the archive was created on April 22, 2013.
While we are presently unaware of any deviant abuse of the stolen data, this breach casts a number of questions about the intentions of the hackers. Given the financial motivation of this hackers’ group, PR Newswire is an unlikely target and it might have been a target of opportunity.
On the other hand, considering criticality of major announcements done through PR Newswire, it is possible that savvy malicious individuals might use unannounced press releases or even manipulate major announcements to gain a competitive financial edge on the stock market.
Hold Security worked with journalist Brian Krebs who contacted PR Newswire to alert them of the breach.
Update October 17, 2013
Hold Security’s Deep Web Monitoring confirms today that PR Newswire was not a random target for the hackers. There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits. The attack was sourced from a different server also used by the same group of hackers. If this attack resulted in a breach, it is possible that the hackers had access to PR Newswire infrastructure longer than previously thought.