Latest news
Adobe admits breach, will revoke compromised code signing certificate
Posted on 28 September 2012.
Adobe has confirmed that one of their build servers that has access to the Adobe code signing infrastructure has been compromised, allowing attackers to digitally sign two malicious utilities with a valid Adobe code signing certificate.
The company also announced that the certificate in question will be revoked on October 4 and that this will affect only the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh.
Adobe will, of course, be issuing updates for all impacted products, and has set up a support page providing steps that potentially affected users should go through to rectify the problem on their own machines.
"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk," pointed out Adobe's engineering senior director Brad Arkin. "Customers should not notice anything out of the ordinary during the certificate revocation process."
The maliciously signed utilities are pwdump7 v7.1, which extracts password hashes from the Windows OS, and myGeeksmail.dll, a malicious ISAPI filter (for more details, check the following security advisory).
"We have shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block the malicious utilities," says Arkin, and advises against moving the impacted Adobe certificate to the Windows Untrusted Certificate Store, since the move won't prevent the execution of the malicious utilities on a victim machine, but will have a "negative impact" on the user experience and execution of valid Adobe software signed with the impacted certificate.
Upon being notified of the misuse of their code signing certificate, Adobe decommissioned the existing Adobe code signing infrastructure and mounted an investigation.
In the meantime, they implemented an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. A new, permanent solution is in the works.
"Our forensic investigation is ongoing," says Arkin. "To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software."
He also pointed out that the build server used a dedicated account to access source code required for the build, and that this account had access to only one product. He didn't specify which product it is, but said that it wasn't that of Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.
"There is no evidence to date that any source code was stolen," he concluded. "We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account."
The company also announced that the certificate in question will be revoked on October 4 and that this will affect only the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh.
Adobe will, of course, be issuing updates for all impacted products, and has set up a support page providing steps that potentially affected users should go through to rectify the problem on their own machines.
"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk," pointed out Adobe's engineering senior director Brad Arkin. "Customers should not notice anything out of the ordinary during the certificate revocation process."
The maliciously signed utilities are pwdump7 v7.1, which extracts password hashes from the Windows OS, and myGeeksmail.dll, a malicious ISAPI filter (for more details, check the following security advisory).
"We have shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block the malicious utilities," says Arkin, and advises against moving the impacted Adobe certificate to the Windows Untrusted Certificate Store, since the move won't prevent the execution of the malicious utilities on a victim machine, but will have a "negative impact" on the user experience and execution of valid Adobe software signed with the impacted certificate.
Upon being notified of the misuse of their code signing certificate, Adobe decommissioned the existing Adobe code signing infrastructure and mounted an investigation.
In the meantime, they implemented an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. A new, permanent solution is in the works.
"Our forensic investigation is ongoing," says Arkin. "To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software."
He also pointed out that the build server used a dedicated account to access source code required for the build, and that this account had access to only one product. He didn't specify which product it is, but said that it wasn't that of Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.
"There is no evidence to date that any source code was stolen," he concluded. "We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account."
Spotlight
Is it time to professionalize information security?
Posted on 23 May 2013. | The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
