Adobe code signing infrastructure hacked by 'sophisticated threat actors'

Adobe code signing infrastructure hacked by 'sophisticated threat actors'

Summary: The eyebrow-raising hack effectively gave the attackers the ability to create malware masquerading as legitimate Adobe software and signals a raising of the stakes in the world of Advanced Persistent Threats (APTs).

SHARE:
TOPICS: Security
32

adobe_side_logo

Adobe today warned that an internal server with access to its digital certificate code signing infrastructure was hacked by "sophisticated threat actors" engaged in "highly targeted attacks."

The compromise, which dates back to early July, led to the creation of at least two malicious files that were digitally signed using a valid Adobe certificate, according to Adobe security chief Brad Arkin.

Although only two files were signed, the hack effectively gave the attackers the ability to create malware masquerading as legitimate Adobe software and signals a raising of the stakes in the world of Advanced Persistent Threats (APTs).

According to Arkin, one of the two digitally signed malware files is a utility that extracts password hashes from the Windows operating system.  This hints at the "lateral movement" that is common once a targeted attacker gains access to a network and attempts to elevate privileges to gain a higher level of access.

"The first malicious utility we received is pwdump7 v7.1.  This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll.  The sample we received included two separate and individually signed files. We believe the second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter," Arkin explained.

"Within minutes of the initial triage of the first sample, we decommissioned our signing infrastructure and began a clean-room implementation of an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. The interim signing solution includes an offline human verification to ensure that all files scheduled for signature are valid Adobe software. We are in the process of designing and deploying a new, permanent signing solution," Arkin added.

Adobe did not provide details on the nature of the breach except to say that it affected a "build server" with access to the code signing infrastructure.  Arkin said the compromised machine's configuration was "not to Adobe corporate standards for a build server" and lamented the fact that this was not caught during the normal provisioning process. 

"We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies. The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service," he added.

Arkin said a forensics investigation identified malware on the build server and the likely mechanism used to first gain access to the build server.

"We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," he added.

Arkin says there is no evidence that source code was stolen during the compromise.

Adobe plans to revoke the impacted certificates on October 4, 2012.

The revocation will affect all code signed after July 10, 2012, which indicates the attackers had access to Adobe's infrastructure for more than two months. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • if anyone needed unequivocal evidence

    Adobe is a complete failure in the field of secure applications and systems management, then this is indelible proof.

    "Adobe did not provide details on the nature of the breach except to say that it affected a "build server" with access to the code signing infrastructure. Arkin said the compromised machine's configuration was "not to Adobe corporate standards for a build server" and lamented the fact that this was not caught during the normal provisioning process.

    Of course ... it's *nothing to be concerned about* ... it was 'only' a build server .. [gobsmacked :O].

    "We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies. The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service," he added.

    Sure this time it had no direct PKI rights this time ... that's so assuring for their corporate, entrenched product user base.

    The big takeaway today? When a vendor of corporate documentation applications cannot safeguard it's internal systems through a well planned, tested (..and retested) and deployed security management processes, what chance do their hapless corporate client-base have?

    Disgraceful, completely unnerving and frightening all at the same time.
    thx-1138_
    • Hater

      Move on, biased hater.

      It was not a major issue.

      Any company is vulnerable to such problems, because
      no software is perfect,
      no architecture is perfect,
      humans are not perfect.
      Rikkrdo
      • Um, yes it is

        Hacking their development kit is major, but worse is having their signing software exploited on their own hardware and not noticing.

        I don't agree with thx's tone, but it's hardly a non event?
        MarknWill
        • but...

          they did notice...and decommissioned their servers and informed the public. Did you even read the article or just more bandwagon action for you?
          1Riptide
          • trust

            You can't trust Adobe anymore, their infrastructure is hacked by TWO MONTHS and they say, it's not a big deal. Your wife has been sleeping with the mailmen for the last two months, It's not a big deal...
            amunar@...
          • Adobe reader

            adobe reader is such a useless program now I needed to print out from it and got no where its a dud
            cally_laws@...
          • *face-palm*

            Of course they noticed, it's how we know about it.

            "And lamented the fact that this was not caught during the normal provisioning process"

            Kind of not noticing, not the noticing it happened nearly 3 months ago kind of noticing.

            Bandwagoning? I just don't see the logical opposing argument given that my own argument was neither doom, despair nor exacerbating the situation. I Merely commented that this is a significant security event, and implied it is not an every day event for a major software developer.

            That given, what is your "off the beaten path" opinion of this news? It's not relevant news? It is not a note worthy security breach? I simply do not follow that "logic"?
            MarknWill
      • Magic Indians Didn't Do Their Jobs

        Magic Indians were supposed to insure this could never happen. When Americans ran Adope nothing like this EVER happened.
        Wakjob
        • Adobe outsourced their soul to India

          Good old American Adobe ended when the moved to their now posh headquarters in San Jose. The old Adobe typeface character striker sculpture is all that remains on what is now the Google campus in Mountain View.
          Adobe, the creator of flash cookies, the insidious side step around preventing outside software and web apps from stuffing info into your computer. Apple has it right, no Flash. +1 for turning off Adobe automatic updates. What a farce of invasive useless crudding up of a Windows machine.
          jkkerouac
      • Stupid is as stupid does

        All our online computer problems for the last 2 years have stemmed from adobe products: constant attacks through flash content requiring system cleaning; system crashes from allowing automatic updates of adobe reader and updates of adobe flash - requiring system cleaning to DoD level wipes and OS reinstall. Since blocking adobe automatic updates and flash content we have not had a problem, they have had a hacking problem much longer than admitted. I will no longer update adobe products until they offer a secured authenticated direct downloadable file I can check, and only view flash content in a browser secured by kaspersky safe run protocols. Adobe online products have become way more trouble than the "web experience" is worth.

        There is no real excuse for poor security and incompetence, would adobe's apologist be happier if we called pickles just a distressed cucumbers because it's not the cucumbers fault?
        Makes Things
      • No, Adobe is just plain incompetent

        They have proven themselves to be even more wretched at security and good coding than Microsoft -- their long term inability to especially get a handle on Flash exploits is utterly inexcusable.
        JustCallMeBC
      • Uhmm . . .

        . . . Adobe craps here, there, everywhere, and you don't think it';s a problem because this particular pile of dung isn't in your livingroom. How many times are you going to trust them?
        sporkfighter
    • Kudo to Adobe for disclosing

      Knee-jerk reactions like the above create a poisoned atmosphere where companies will hesitate to disclose compromises. If they are cooperating in disclosing what happened, we should commend and cooperate in helping to work the problem. In this asymmetric battle between companies and actors with nation-state resources, none of us have adequate security. It's just a matter of whom these actors choose to exploit this week. If we want to shake a tree, it should be with the politicians whose policy is inaction and for whom this is not even a minor campaign issue.
      cbiow
  • Should be revoked TODAY . . .

    "Adobe plans to revoke the impacted certificates on October 4, 2012."

    Eh, what? Revoke them as soon as you learn about the incident. Don't wait. You don't want to give anybody a window of opportunity.
    CobraA1
    • July

      As the news note, their systems were compromised in July, therefore it has already been almost 3 months of freedom for the invader.
      Rikkrdo
  • C'mon HTML5, or whatever...

    This is becoming ridiculous, really. The fact that such a huge portion of the internet relies on this one company's technologies for the most mundane viewing of simple web pages or videos... And they consistently are the bane of any security minded persons existence. Just hand over the keys, already. Admit you don't know how to drive. Or pay someone that does... Just, don't get back in the car, again and again, endangering the lives of your passengers, or innocent bystanders, for the love of all that is holy.
    TechNickle
    • I'd almost bet..

      That the security breach was due to none other than themselves, with browser add-ons they supplied themselves for Flash playback, and yet, as vulnerable as a soft skinned teenager with hearing difficulties (is there someone there?) or high-heeled women (oh, I'll run away, half naked and off-balance) in any/all slasher movies. At some point, due to these inadequacies, even the most empathetic viewers switch sides, if only for the inevitable ensuing carnage.
      TechNickle
    • Ignorance reigns...

      This has nothing to do with the HTML5 vs Flashplayer discussion!!! This has NOTHING to do with your browser! Read the article again.

      I'm not even sure the author is aware of this...instead he is contributing to the misinformation that is everywhere.

      BTW, where are your signed HTML5 apps? lol
      ZDNet...stop the hate.
      1Riptide
  • that sound like a very smart attack...

    In anycase, whether the root keys and stolen OR some malicious tools have been signed with their private key, the only solution is to revoke the certificates. If they have logs for all these months, then probably they might know which other non-Adobe Software modules have been signed like this...

    Its like, someone got in cheekily, dressed up properly in your clothes and got out neatly...:-)
    sreesiv
  • Another Week . . .

    . . . another Adobe disaster . . .
    Gr8Music