Adobe Certificates Hacked

Monday, October 1, 2012 @ 05:10 PM gHale

“Sophisticated threat actors” engaged in “highly targeted attacks” hacked into Adobe‚Äôs internal server that has access to its digital certificate code signing infrastructure.

The compromise, which the company said goes back to July, led to the creation of at least two digitally signed malicious files that used a valid Adobe certificate, said Adobe security chief Brad Arkin.

Build Your Own Android Malware
Profiting off Android Attacks
Malware Continues to Rise
Malware Bypasses Defenses with Ease

Although only two files ended up signed, the hack gave attackers the ability to create malware that looks like legitimate Adobe software.

One of the two digitally signed malware files is a utility that extracts password hashes from the Windows operating system, Arkin said. One part of that, Arkin said, means an attacker could attempt “lateral movement” that allows for advances toward an escalation of privileges to gain a higher level of access.

“Within minutes of the initial triage of the first sample, we decommissioned our signing infrastructure and began a clean-room implementation of an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. The interim signing solution includes an offline human verification to ensure that all files scheduled for signature are valid Adobe software. We are in the process of designing and deploying a new, permanent signing solution,” Arkin said.

Adobe did not provide details on the breach except to say it affected a “build server” with access to the code signing infrastructure. Arkin said the compromised machine’s configuration was “not to Adobe corporate standards for a build server” and regretted the company did not catch this during the normal provisioning process.

Adobe is launching an investigation into why its code signing access provisioning process in this case failed to identify these deficiencies. The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service, Arkin said.

A forensics investigation identified malware on the build server and the likely mechanism used to first gain access to the build server, Arkin said.

Adobe plans to revoke the impacted certificates October 4.

The revocation will affect all code signed after July 10, which means the attackers had access to Adobe’s infrastructure for more than two months.

Leave a Reply

You must be logged in to post a comment.