Malware, Security Strategy, Plan, Budget

Hackers raid Adobe, compromise certificate to sign malware

Advanced hackers have broken into an internal server at Adobe to compromise a digital certificate that allowed them to create at least two files that appear to be legitimately signed by the software maker, but actually contain malware.

As a result of the breach, which appears to date back to early July, Adobe on Oct. 4 expects to revoke the compromised certificate that was used to sign the malicious files, Brad Arkin, senior director of product security and privacy, said in a Thursday blog post.

"We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate," he wrote. "This only affects Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh."

The company uncovered the breach after coming across two malicious "utilities" that appeared to be digitally signed with a valid Adobe cert. It is unclear how or whether those files were used in the wild to target anyone.

"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," Arkin wrote.

Mikko Hypponen, chief research officer of Finnish security firm F-Secure, tweeted Thursday that his company's repository includes thousands of files signed by the compromised Adobe certificate, but only three are considered "bad," or infected.

In another blog posted by Arkin, he said that, generally speaking, most Adobe users won't be affected.

"Is your Adobe software vulnerable because of this issue?" he wrote. "No. This issue has no impact on the security of your genuine Adobe software. Are there other security risks to you? We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware."

The "build" server that was compromised was not configured according to Adobe's corporate standards, but that shortfall wasn't caught during the provisioning process, Arkin said. He added that the affected server did not provide the adversaries with access to any source code for other products, such as the popular Flash Player and Adobe Reader and Acrobat software.

Valid digital certificates being used for illegitimate purposes have become a preferred hacker ploy of late. Most recently, the authors of the Flame virus used rogue Microsoft certs to spread the nefarious malware. Certificate authorities themselves also have been targeted.

UPDATE: An Adobe spokeswoman said the certificate was not actually stolen: "Adobe has stringent security measures in place to protect its code signing infrastructure. The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. We confirmed that the private key associated with the Adobe code signing certificate was not extracted from the HSM."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.