Adobe says “advanced persistent” hackers broke into its software development servers and compromised its code signing certificate procedures to pass off Windows malware as trusted Adobe products.
“We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate,” Brad Arkin, senior director, security, Adobe products and services said Thursday.
Adobe said two “malicious utilities” had been signed as coming from it. The first was “pwdump7 v7.1”, designed to extract password hashes from Windows machines, and the second was “myGeeksmail.dll”.
The hackers did not lift the private key from its digital key management repository, according to Arkin, but rather gained entry to servers in early July that were trusted to request signatures.
“Within minutes of the initial triage of the first sample, we decommissioned our signing infrastructure and began a clean-room implementation of an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases.”
Arkin stressed the breach “only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh”.
Adobe has provided a long list of products it recommends apply the update here, including Photoshop CS6 and Flash Player.
New certificates will be issued on October 4.
While attackers using fraudulently signed malware might have a big advantage over potential victims, Adobe believes the threat “does not present a general security risk” since the tools they gathered are more typically used in targeted attacks -- such as those that compromised it.
“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise,” said Arkin.