Hackers raid Adobe, compromise certificate to sign malware

By on

Compromised cert to be revoked.

Hackers have broken into an internal server at Adobe to compromise a digital certificate that allowed them to create at least two files that appear to be legitimately signed by the software maker, but actually contain malware.

Adobe expects to revoke the compromised certificate later this week.

Product security and privacy director Brad Arkin said Windows software signed with the impacted certificate plus three Windows and Macintosh Adobe AIR applications would be affected.

"We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware."

The company uncovered the breach after coming across two malicious utilities that appeared to be digitally signed with a valid Adobe certificate. It was unclear if the files were used in attacks.

An Adobe spokeswoman said the company had stringent security measures in place to protect its code signing infrastructure.

"The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. We confirmed that the private key associated with the Adobe code signing certificate was not extracted from the HSM."

Arkin said signed samples were typically used in targeted attacks for privilege escalation and lateral movement within an environment after an initial machine compromise.

He said the 'build' server that was compromised was not configured according to Adobe's corporate standards, but that shortfall wasn't caught during the provisioning process.

He added that the affected server did not provide the adversaries with access to any source code for other products, such as the popular Flash Player and Adobe Reader and Acrobat software.

Valid digital certificates being used for illegitimate purposes have become a preferred hacker ploy of late. Most recently, the authors of the Flame virus used rogue Microsoft certs to spread the nefarious malware. Certificate authorities themselves also have been targeted.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?