Latest news
Adobe admits breach, will revoke compromised code signing certificate
Posted on 28 September 2012.
Adobe has confirmed that one of their build servers that has access to the Adobe code signing infrastructure has been compromised, allowing attackers to digitally sign two malicious utilities with a valid Adobe code signing certificate.
The company also announced that the certificate in question will be revoked on October 4 and that this will affect only the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh.
Adobe will, of course, be issuing updates for all impacted products, and has set up a support page providing steps that potentially affected users should go through to rectify the problem on their own machines.
"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk," pointed out Adobe's engineering senior director Brad Arkin. "Customers should not notice anything out of the ordinary during the certificate revocation process."
The maliciously signed utilities are pwdump7 v7.1, which extracts password hashes from the Windows OS, and myGeeksmail.dll, a malicious ISAPI filter (for more details, check the following security advisory).
"We have shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block the malicious utilities," says Arkin, and advises against moving the impacted Adobe certificate to the Windows Untrusted Certificate Store, since the move won't prevent the execution of the malicious utilities on a victim machine, but will have a "negative impact" on the user experience and execution of valid Adobe software signed with the impacted certificate.
Upon being notified of the misuse of their code signing certificate, Adobe decommissioned the existing Adobe code signing infrastructure and mounted an investigation.
In the meantime, they implemented an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. A new, permanent solution is in the works.
"Our forensic investigation is ongoing," says Arkin. "To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software."
He also pointed out that the build server used a dedicated account to access source code required for the build, and that this account had access to only one product. He didn't specify which product it is, but said that it wasn't that of Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.
"There is no evidence to date that any source code was stolen," he concluded. "We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account."
The company also announced that the certificate in question will be revoked on October 4 and that this will affect only the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh.
Adobe will, of course, be issuing updates for all impacted products, and has set up a support page providing steps that potentially affected users should go through to rectify the problem on their own machines.
"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk," pointed out Adobe's engineering senior director Brad Arkin. "Customers should not notice anything out of the ordinary during the certificate revocation process."
The maliciously signed utilities are pwdump7 v7.1, which extracts password hashes from the Windows OS, and myGeeksmail.dll, a malicious ISAPI filter (for more details, check the following security advisory).
"We have shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block the malicious utilities," says Arkin, and advises against moving the impacted Adobe certificate to the Windows Untrusted Certificate Store, since the move won't prevent the execution of the malicious utilities on a victim machine, but will have a "negative impact" on the user experience and execution of valid Adobe software signed with the impacted certificate.
Upon being notified of the misuse of their code signing certificate, Adobe decommissioned the existing Adobe code signing infrastructure and mounted an investigation.
In the meantime, they implemented an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. A new, permanent solution is in the works.
"Our forensic investigation is ongoing," says Arkin. "To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software."
He also pointed out that the build server used a dedicated account to access source code required for the build, and that this account had access to only one product. He didn't specify which product it is, but said that it wasn't that of Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.
"There is no evidence to date that any source code was stolen," he concluded. "We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account."
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
