Adobe today announced it has been subject to a significant security breach, including a compromised build server resulting in at least one valid Adobe code signing certificate being used to sign malware. As a result, the software company will be revoking the impacted certificate for all code signed after July 10, 2012 one week from today, at 1:15 pm PDT on October 4. It is also publishing updates for existing software signed with it.
The certificate in question was for Adobe software on the Windows platform as well as three Adobe AIR applications (Adobe Muse, Adobe Story AIR, and Acrobat.com desktop services) that run on both Windows and Mac OS. The revocation will thus not impact any other Adobe software for Mac or other platforms, according to Adobe, nor should customers notice anything out of the ordinary.
Adobe discovered the problem when it received two malicious utilities (pwdump7 v7.1 and myGeeksmail.dll) that were digitally signed using one of its certificates. While the company says both pieces of malware came from the same source, it can’t confirm that there aren’t more out there.
The company believes most users are not at risk because the malware is quite sophisticated and likely will or are already is being used for highly-targeted attacks. In other words, the argument is that your typical cybercriminal won’t be going through the trouble of obtaining a valid certificate from Adobe just to infect your computer.
pwdump7, which Adobe received in a package that include two separate and individually signed files, extracts password hashes from the Windows operating system, while myGeeksmail.dll appears to be a malicious ISAPI filter, which doesn’t seem to be publicly available.
Adobe has shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block them. Furthermore, system administrators can create a Software Restriction Policy (SRP) via Group Policy that disallows the execution of the malicious utilities and blocks them on the basis of the individual file hashes.
The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities, which verified all individuals who were given access. Within minutes of being sent pwdump7 v7.1, Adobe decommissioned its signing infrastructure and implemented an interim signing service that includes offline human verification to ensure that all files scheduled for signature are valid Adobe software. The company is now in the process of designing and deploying a new, permanent signing solution, as the original one clearly failed miserably.
After the decommissioning, Adobe says it launched a forensics investigation which led to the discovery of a compromised build server with access to the Adobe code signing infrastructure. In fact, Adobe says the details of the machine’s configuration were not to up to its corporate standards for a build server, though the company did not explain how this was not caught sooner, and is still trying to figure that out how the deficiencies snuck by.
The company did, however, find malware on it “and the likely mechanism used to first gain access to the build server.” Here’s Adobe’s current theory on how the breach occurred:
We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.
Adobe is still investigating the whole fiasco and so far can say that “there is no evidence to date that any source code was stolen.” For more information, here’s the full Security bulletin and the Security certificate update support page.
Update at 6:30PM EST: F-Secure says the certificate has been used to sign over 5,000 individual pieces of malware:
Our sample repository has 5127 files that have been signed with the compromised Adobe certificate. twitter.com/mikko/status/2…
— Mikko Hypponen (@mikko) September 27, 2012
Update on October 4: The certificate has now been revoked. Adobe says:
Following up on our communication from September 27, 2012, we have now revoked the Adobe code signing certificate for all code signed after July 10, 2012 (00:00 GMT). We have updated the Security Advisory (APSA12-01) to reflect this action.
On to the next one.
Image credit: Robert Linder