(LiveHacking.Com) – Adobe has discovered that its internal code signing infrastructure was breached and used to sign to malicious programs to make them appear like genuine Adobe files. The security breach happened back in July and as a result Adobe will revoke the certificate for all software code signed after July 10, 2012. This will happen on October 4th, in the mean time Adobe is in the process of issuing updates signed using a new digital certificate for all affected products.
Once the breach was discovered and the signatures verified, Adobe immediately decommissioned its existing code signing infrastructure and initiated a forensics investigation to determine how the signatures were created.
The first, of the two malicious files signed with Adobe’s certificate, is called pwdump7 v7.1, it extracts password hashes from the Windows OS. The second malicious utility, myGeeksmail.dll, is thought to be a malicious ISAPI filter. However it doesn’t appear to be publicly available.
“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk,” wrote Adobe security chief Brad Arkin.
The revocation of the certificate affects only the Windows platform and three Adobe AIR applications (Adobe Muse, Adobe Story AIR applications and Acrobat.com desktop services). However the revocation does not impact any other Adobe software for Macintosh or other platforms. Adobe has informed its partners of the incident including participants in the Microsoft Active Protections Program (MAPP) who have received samples of the falsely signed programs.
The hacked server
Adobe has identified a compromised build server that required access to the code signing service as part of the build process. However the compromised server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service. During its initial investigation, Adobe has discovered malware on the server and the probable mechanism used to gain access.
“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” added Arkin. “The build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobe’s ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.”