Adobe has confirmed that one of their build servers that has access to the Adobe code signing infrastructure has been compromised, allowing attackers to digitally sign two malicious utilities with a valid Adobe code signing certificate.
The company also announced that the certificate in question will be revoked on October 4 and that this will affect only the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh.
Adobe will, of course, be issuing updates for all impacted products, and has set up a support page providing steps that potentially affected users should go through to rectify the problem on their own machines.
“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk,” pointed out Adobe’s engineering senior director Brad Arkin. “Customers should not notice anything out of the ordinary during the certificate revocation process.”
The maliciously signed utilities are pwdump7 v7.1, which extracts password hashes from the Windows OS, and myGeeksmail.dll, a malicious ISAPI filter (for more details, check the following security advisory).
“We have shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block the malicious utilities,” says Arkin, and advises against moving the impacted Adobe certificate to the Windows Untrusted Certificate Store, since the move won’t prevent the execution of the malicious utilities on a victim machine, but will have a “negative impact” on the user experience and execution of valid Adobe software signed with the impacted certificate.
Upon being notified of the misuse of their code signing certificate, Adobe decommissioned the existing Adobe code signing infrastructure and mounted an investigation.
In the meantime, they implemented an interim signing service for re-signing components that were signed with the impacted key after July 10, 2012 and to continue code signing for regularly scheduled releases. A new, permanent solution is in the works.
“Our forensic investigation is ongoing,” says Arkin. “To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.”
He also pointed out that the build server used a dedicated account to access source code required for the build, and that this account had access to only one product. He didn’t specify which product it is, but said that it wasn’t that of Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.
“There is no evidence to date that any source code was stolen,” he concluded. “We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account.”