Adobe Security Breached To Sign Off Malicious Files

Hackers have broken into an Adobe server, using it to sign a number of malicious files, in what the software maker believes is part of a targeted attack campaign.

The Adobe security team discovered two malicious utilities signed using the certificate, claiming it was unlikely the certificate was used to sign widespread malware, meaning there should not be widespread impact. Many security solutions do not scan files if signed by major vendors like Adobe, which is why hackers are so hungry to get hold of certificates.

One of the utilities extracts password hashes from Windows machines, whilst the other was an ISAPI filter, capable of intercepting and modifying  incoming and outgoing HTTP streams when running on IIS servers.

Adobe has moved on 4 October to revoke the impacted certificate for all code signed after 10 July 2012  on 4 October. Adobe has also decommissioned its signing infrastructure, implementing an offline human verification process to approve code signing requests.

But as it appears Adobe was hacked on 10 July, security experts are concerned the malicious files could have been used for some time. Yet no exploits have been seen in the wild to date.

Building an attack

Adobe believes the impacted certificate was used to sign the two malicious utilities (encompassing a total of three files signed separately) by sending a signing request from a compromised build server to the signing server. The signing server itself was not compromised, but the build server, which was found to contain malware, required access to the code signing service as part of build processes. The firm admitted “the details of the machine’s configuration were not to Adobe corporate standards” and an investigation is underway as to why these deficiencies were not identified.

“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” explained Brad Arkin, senior director of security at Adobe, in a blog post.

“We also have forensic evidence linking the build server to the signing of the malicious utilities.

“In addition to working with your security vendors to ensure you have the latest updates containing protections against these utilities, system administrators for managed desktop Windows OS environments can create a Software Restriction Policy (SRP—via Group Policy) that disallows the execution of the malicious utilities and blocks them on the basis of the individual file hashes.”

Arkin said there was no evidence Adobe source code or any other sensitive data was stolen from the build server. No end user action is needed, apart from specific situations, which concerned IT teams can learn about here.

Crazy for certificates

There have been a number of cases of hackers signing off malicious files by first breaking into software vendors’ machines in recent times, noted James Lyne, director of technology strategy at Sophos. “The objective is to bypass security systems and avoid alerts on installation through posing as legitimate software. Many would not trust code signing from smaller organisations anyway, but larger organisations often are placed in a position of implicit trust,” he told TechWeekEurope.

Despite Adobe saying there were only two malicious utilities in circulation, there may be more malicious files signed off by the Adobe hackers. “Having searched our collection, in addition to the malicious files that Adobe identified being signed in the wild we have found a small number of other malicious files (ignoring the large number of legitimate or slightly modified Adobe files) in our labs which we are digging in to in more depth,” Lyne said.

This hack also shows how sophisticated targeted attacks are becoming, and how good hackers are getting at finding weak spots in major software vendors, who sell software to some of the biggest organisations in the world. “Note that while the full details of the attack are not yet available it is explained that ‘standard APT’ methods were leveraged,” Lyne added.

“Most likely bespoke malware provided a backdoor to a nearby system and they were able to map out the build network, identify the signing system and HSM [Hardware Security Modules used for securing private keys] and then smuggle in their requests and exfiltrate.”

“Cyber criminals are smart and clearly prepared to exploit the chain of trust. As an industry we need to continue to ask questions about how reputation and trust are established and protected. At least in this instance this malware or potentially unwanted application is detected by organisations running defence in depth and users won’t be left waiting weeks for a revocation whilst their credentials are left unencrypted to attackers.”

But the case will do little to improve Adobe’s image in the security world. The company’s software, from Flash to Reader, has been picked apart by hackers in recent times, although efforts to improve product security have eased Adobe’s woes. It will be praying nothing nasty emerges from this successful breach of its own infrastructure.

Correction: This story originally indicated a certificate had been stolen. The article has now been amended to reflect that a certificate was not stolen. Adobe said the impacted certificate was used to sign the two malicious utilities (encompassing a total of three files signed separately) by sending a signing request from a compromised build server to the signing server. The signing server itself was not compromised, but the build server, which was found to contain malware, required access to the code signing service as part of build processes.

Are you a security guru? Try our quiz!