Criminals hack Adobe certificate server

Criminals have broken into an Adobe server and provided two pieces of malware with a digital certificate that attest to them being legitimate code.

As a result of the breach, the company will revoke the certificate next Thursday and will update legitimate Adobe software that has been signed by the same certificate since July 10.

RELATED: In face of Flame malware, Microsoft will revamp Windows encryption keys 

MORE ADOBE WOES: Adobe releases six critical patches for Flash, AIR 

Adobe says that its legitimate software signed by the certificate is not at risk and that the hijacked certificate does not pose a general security threat.

"The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware," Adobe says in an FAQ on the situation.

But there could be another shoe or two yet to drop, says Andrew Storms, director of security operations for security vendor nCircle. "It seems probable that this situation is the result of a breach of Adobe's software release process," Storms says in a written statement. "If that's the case there could be other serious problems that haven't been found yet."

Adobe says it is working with security vendors so their products will be able to detect the malware that was signed by the compromised certificate and protect end users from the malware.

Adobe didn't say exactly what the malware was capable of doing, but noted that in general using stolen certificates to legitimize malware is a tactic used by sophisticated adversaries carrying out targeted attacks.

"As a result, we believe the vast majority of users are not at risk," Adobe says in a blog. Once executed such malware can escalate privileges for compromised machines and move the malware from machine to machine within a network.

Products that need updating are:

" Adobe Application Manager - Enterprise Edition;

" Adobe Provisioning Toolkit Enterprise Edition;

" Report Builder - Digital Marketing Suite;

" SiteCatalyst Real-Time Dashboard - Digital Marketing Suite;

" Adobe Update Server Setup Tool;

" Flash Media Server 4.5.3;

" ColdFusion 10;

" Flash Player;

" Reader.

Also affected are three Adobe AIR applications - Adobe Muse and Adobe Story AIR applications as well as desktop services that run on both Windows and Macintosh

The company has issued instructions here on how IT administrators can update affected products.

Adobe said a build server used to make legitimate software was not configured up to Adobe standards and was compromised. It had access to the Adobe code signing service, so the criminals could put in requests to have their malware certified as legitimate.

"We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," the blog post says.

This is reminiscent of how Microsoft certificate signing was compromised as part of the Flame malware attack. That resulted in Microsoft revamping its certificate service and requiring an encryption upgrade that takes effect Oct. 9.

The malware discovered are known as pwdump7v7.1 and myGeeksmail.dll.

The first extracts password hashes from Windows operating systems. The second is a malicious ISAPI filter. An ISAPI filter is a file that can enhance the functionality of Microsoft's Internet Information Services. These filters can examine and modify data coming into and going out of IIS servers. Details about the two malicious utilities are available here at the official Adobe security advisory.

A spokesperson for Adobe says in an email that it came across the samples from a single source that the company would not name.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts