Criminals broke into an Adobe server and provided two pieces of malware with a digital certificate that attest to them being legitimate code.
As a result of the breach, the company will revoke the certificate next Thursday and will update legitimate Adobe software that has been signed by the same certificate since July 10.
Adobe says that its legitimate software signed by the certificate is not at risk and that the hijacked certificate does not pose a general security threat.
“The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware,” Adobe says in an FAQ on the situation.
But there could be another shoe or two yet to drop, says Andrew Storms, director of security operations for security vendor nCircle. “It seems probable that this situation is the result of a breach of Adobe’s software release process,” Storms says in a written statement. “If that’s the case there could be other serious problems that haven’t been found yet.”
Adobe says it is working with security vendors so their products will be able to detect the malware that was signed by the compromised certificate and protect end users from the malware.
Adobe didn’t say exactly what the malware was capable of doing, but noted that in general using stolen certificates to legitimise malware is a tactic used by sophisticated adversaries carrying out targeted attacks.
“As a result, we believe the vast majority of users are not at risk,” Adobe says in a blog. Once executed such malware can escalate privileges for compromised machines and move the malware from machine to machine within a network.
Products that need updating are:
• Adobe Application Manager – Enterprise Edition;
• Adobe Provisioning Toolkit Enterprise Edition;
• Report Builder – Digital Marketing Suite;
• SiteCatalyst Real-Time Dashboard – Digital Marketing Suite;
• Adobe Update Server Setup Tool;
• Flash Media Server 4.5.3;
• ColdFusion 10;
• Flash Player;
• Reader.
Also affected are three Adobe AIR applications - Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services that run on both Windows and Macintosh
The company has issued instructions here on how IT administrators can update affected products.
Adobe said a build server used to make legitimate software was not configured up to Adobe standards and was compromised. It had access to the Adobe code signing service, so the criminals could put in requests to have their malware certified as legitimate.
“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” the blog post says.
This is reminiscent of how Microsoft certificate signing was compromised as part of the Flame malware attack. That resulted in Microsoft revamping its certificate service and requiring an encryption upgrade that takes effect Oct. 9.
The malware discovered are known as pwdump7v7.1 and myGeeksmail.dll.
The first extracts password hashes from Windows operating systems. The second is a malicious ISAPI filter. An ISAPI filter is a file that can enhance the functionality of Microsoft’s Internet Information Services. These filters can examine and modify data coming into and going out of IIS servers. Details about the two malicious utilities are available here at the official Adobe security advisory.
A spokesperson for Adobe says in an email that it came across the samples from a single source that the company would not name.