Think Information. Think Security.
 
Picture
Advanced hackers have broken into an internal server at Adobe to compromise a digital certificate that allowed them to create at least two files that appear to be legitimately signed by the software maker, but actually contain malware. As a result of the breach, which appears to date back to early July, Adobe on Oct. 4 expects to revoke the compromised certificate that was used to sign the malicious files, Brad Arkin, senior director of product security and privacy, said in a Thursday blog post.

The company uncovered the breach after coming across two malicious "utilities" that appeared to be digitally signed with a valid Adobe cert. It is unclear how or whether those files were used in the wild to target anyone. "Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," Arkin wrote.

Mikko Hypponen, chief research officer of Finnish security firm F-Secure, tweeted Thursday that his company's repository includes thousands of files signed by the compromised Adobe certificate, but only three are considered "bad," or infected.

In another blog posted by Arkin, he said that, generally speaking, most Adobe users won't be affected. The evidence has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware." The "build" server that was compromised was not configured according to Adobe's corporate standards, but that shortfall wasn't caught during the provisioning process, Arkin said. The affected server did not provide the adversaries with access to any source code for other products, such as the popular Flash Player and Adobe Reader and Acrobat software.

Valid digital certificates being used for illegitimate purposes have become a preferred hacker ploy of late. Most recently, the authors of the Flame virus used rogue Microsoft certs to spread the nefarious malware. Certificate authorities themselves also have been targeted.

An Adobe spokeswoman said the certificate was not actually stolen: "Adobe has stringent security measures in place to protect its code signing infrastructure. The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. We confirmed that the private key associated with the Adobe code signing certificate was not extracted from the HSM."

Cross-posted from: SC Magazine



Leave a Reply.