Adobe announced today it was the victim of an APT-style attack after
two malicious utilities commonly used in targeted attacks for privilege
escalation and pivoting within a network were discovered signed by a
valid Adobe digital certificate. Adobe said it will revoke the certificate next week.
Adobe
products and services senior director of security Brad Arkin said in a
statement that a build server with access to the Adobe code signing
infrastructure was compromised and is the source of the issue.
The
certificate will be revoked on Oct. 4; this affects only Adobe software
signed with the cert after July 10 running on Windows, as well as three
Adobe Air applications that run on Windows and the Macintosh platform.
“Customers should not notice anything out of the
ordinary during the certificate revocation process,” Arkin said. “Our
investigation to date has shown no evidence that any other sensitive
information—including Adobe source code or customer, financial or
employee data—was compromised.”
Arkin said Adobe does not believe
the certificate was used to sign widespread malware, and is limited to
the two utilities discovered.
“We believe the vast majority of users are not at risk,” Arkin said.
The
two utilities in question are pwdump7 v7.1, which extracts password
hashes from Windows and sometimes links the OpenSSL library
libeay32.dll, and myGeeksmail.dll, a malicious ISAPI filter that runs on
the Microsoft Web server software IIS. ISAPI can be used to modify IIS’
functionality.
Mikko Hypponen, chief research officer at F-Secure, said on a Twitter post
that his company's sample repository has more than 5,000 files signed
by the compromised certificate. Hypponen said only three of the files
were malicious.
IT administrators can try to mitigate the threat
by creating a software restriction policy via Group Policy that prevents
the utilities from executing. However, moving the certificate to the
Windows Untrusted Certificate Store, according to Adobe tests, will not
block an attacker from executing the utilities on a compromised machine.
This will also hamper performance of legitimate Adobe products signed
with the certificate.
Adobe has decommissioned the code-signing
infrastructure and instituted a temporary code-signing service for
re-signing components signed with the compromised key. It is
investigating how the signatures were created.
So far, Arkin said,
Adobe has identified malware on the build server in question and how
the attackers gained access to it, in addition to having forensic
evidence linking the server to the signing of the malicious utilities.
He said the private key was not extracted from a hardware security
module, stored in a physically secured location.
“We believe the
threat actors established a foothold on a different Adobe machine and
then leveraged standard advanced persistent threat tactics to gain
access to the build server and request signatures for the malicious
utilities from the code signing service via the standard protocol used
for valid Adobe software,” Arkin said.
The compromised build
server had access to source code for only one product, Arkin said, who
added it was not Flash, Reader, Shockwave or AIR.
“We have
reviewed every commit made to the source repository the machine did have
access to and confirmed that no source code changes or code insertions
were made by the build server account,” Arkin said. “There is no
evidence to date that any source code was stolen.”
No comments:
Post a Comment