Hackers compromise Adobe server, use it to digitally sign malicious files

Adobe is taking steps to revoke the certificate used to create the signatures

Adobe plans to revoke a code-signing certificate after hackers compromised one of the company's internal servers and used it to digitally sign two malicious utilities.

"We received the malicious utilities in the late evening of Sept. 12 from a single, isolated (unnamed) source," Wiebke Lips, senior manager of corporate communications at Adobe, said Thursday via email. "As soon as the validity of the signatures was confirmed, we immediately initiated steps to deactivate and revoke the certificate used to generate the signatures."

One of the malicious utilities was a digitally signed copy of Pwdump7 version 7.1, a publicly available Windows account password extraction tool that also included a signed copy of the libeay32.dll OpenSSL library.

The second utility was an ISAPI filter called myGeeksmail.dll. ISAPI filters can be installed in IIS or Apache for Windows Web servers in order to intercept and modify HTTP streams.

The two rogue tools could be used on a machine after it was compromised and would likely pass a scan by security software since their digital signatures would appear legitimate coming from Adobe.

"Some antivirus solutions don't scan files signed with valid digital certificates coming from trustworthy software makers such as Microsoft or Adobe," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender. "This would give the attackers a huge advantage: Even if these files were heuristically detected by the locally installed AV, they would be skipped by default from scanning, which dramatically enhances the attackers' chance of exploiting the system."

Adobe believes "the vast majority of users are not at risk" because tools like the ones that were signed are normally used during "highly targeted attacks," not widespread ones, he wrote.

However, Botezatu couldn't say if any of these files were actively detected on computers protected by the company's products. "It's too early to tell, and we don't have sufficient data yet," he said.

"At the moment, we have flagged all the received samples as malicious and we continue monitoring their geographical distribution," Botezatu said.

Adobe traced back the compromise to an internal "build server" that had access to its code-signing infrastructure. "Our investigation is still ongoing, but at this time, it appears that the impacted build server was first compromised in late July," Lips said.

"To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server," Arkin said. "We also have forensic evidence linking the build server to the signing of the malicious utilities."

The configuration of the build server was not up to Adobe's corporate standards for a server of this nature, Arkin said. "We are investigating why our code-signing access provisioning process in this case failed to identify these deficiencies."

The misused code-signing certificate was issued by VeriSign on Dec. 14, 2010, and is scheduled to be revoked at Adobe's request on Oct. 4. This operation will impact Adobe software products that were signed after July 10, 2012.

"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh," Arkin said.

Adobe published a help page that lists the affected products and contains links to updated versions signed with a new certificate.

Symantec, which now owns and operates the VeriSign certificate authority, stressed that the misused code-signing certificate was entirely under Adobe's control.

"None of Symantec's code-signing certificates were at risk," Symantec said Thursday in an emailed statement. "This was not a compromise of Symantec's code-signing certificates, network or infrastructure."

Adobe decommissioned its code-signing infrastructure and replaced it with an interim signing service that requires files to be manually checked before being signed, Arkin said. "We are in the process of designing and deploying a new, permanent signing solution."

"It's hard to determine the implications of this incident, because we can't be sure that only the shared samples were signed without authorization," Botezatu said. "If the password dumper application and the open-source SSL library are relatively innocuous, the rogue ISAPI filter can be used for man-in-the-middle attacks - typical attacks that manipulate the traffic from the user to the server and vice-versa, among others."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts