Adobe code signing infrastructure hacked by 'sophisticated threat actors'

Adobe today warned that an internal server with access to its digital certificate code signing infrastructure was hacked by "sophisticated threat actors" engaged in "highly targeted attacks."

The compromise, which dates back to early July, led to the creation of at least two malicious files that were digitally signed using a valid Adobe certificate, according to Adobe security chief Brad Arkin.

Although only two files were signed, the hack effectively gave the attackers the ability to create malware masquerading as legitimate Adobe software and signals a raising of the stakes in the world of Advanced Persistent Threats (APTs).

According to Arkin, one of the two digitally signed malware files is a utility that extracts password hashes from the Windows operating system.  This hints at the "lateral movement" that is common once a targeted attacker gains access to a network and attempts to elevate privileges to gain a higher level of access.

"The first malicious utility we received is pwdump7 v7.1.  This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll.  The sample we received included two separate and individually signed files. We believe the second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter," Arkin explained.

"Within minutes of the initial triage of the first sample, we decommissioned our signing infrastructure and began a clean-room implementation of an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. The interim signing solution includes an offline human verification to ensure that all files scheduled for signature are valid Adobe software. We are in the process of designing and deploying a new, permanent signing solution," Arkin added.

Adobe did not provide details on the nature of the breach except to say that it affected a "build server" with access to the code signing infrastructure.  Arkin said the compromised machine's configuration was "not to Adobe corporate standards for a build server" and lamented the fact that this was not caught during the normal provisioning process. 

"We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies. The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service," he added.

Arkin said a forensics investigation identified malware on the build server and the likely mechanism used to first gain access to the build server.

"We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," he added.

Arkin says there is no evidence that source code was stolen during the compromise.

Adobe plans to revoke the impacted certificates on October 4, 2012.

The revocation will affect all code signed after July 10, 2012, which indicates the attackers had access to Adobe's infrastructure for more than two months.