A breach of the Opera Software internal infrastructure has resulted in the theft of an expired Opera code signing certificate and used it to sign a piece of malware, package it and push it out as an update for the Opera browser.
The incident was made public on Wednesday by Opera’s Sigbjørn Vik, who shared that the attack on their infrastructure was discovered on June 19, was very soon contained, and that there is no evidence that any user data was compromised.
“The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,” he wrote.
“It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate,” he concluded and urged users to update to the latest version of Opera as soon as it is made available.
They would also do well to update their AV products and scan for traces of malware on their machines, as the masked piece of malware that was pushed out is a variant of the Zeus information-stealing Trojan (here are the solutions that currently detect it).
But, it seems that those users who inadvertently downloaded the malware probably already know that their computer is infected, as the malware carries with it – or downloads immediately after being installed – a nasty piece of ransowmare that blocks the computer and asks for $300 to unlock it.
“This attack and payload are possibly the most effective method to serve malware onto unsuspecting users who are naturally urged to update their software when an update is available. The fact that it came from a trusted authority (Opera itself) and was using a digital certificate makes it even trickier,” commented Malwarebytes security researcher Jerome Segura.
“This incident should not discourage end-users to follow best practices by keeping their PCs up-to-date, but it does raise some questions. After all, it shows that we cannot completely trust files, even when they are coming from reputable vendors.”
“This is perhaps when defense in-depth shows its merits. The bad guys can fool one product but not all (or at least it is much more difficult). Having multiple layers of defense (antivirus, anti-malware, browser protection) can stop an attack at different stages before it succeeds,” he added.
But something still isn’t right here. Sophos’ Paul Ducklin poses a good question: “Wouldn’t Opera’s auto-update have failed or produced a warning due to the expired certificate?”
The first thought that came to my mind is that Opera’s team has lied about the certificate being expired, but the VirusTotal analysis shows that the certificate is “out of its validity period”. It also shows that the malicious file was first submitted to the service on June 19, but the analysis has since been updated – maybe the certificate was invalidated after the discovery of the breach?
If not, it’s possible that the auto-update mechanism is flawed. And if that’s so, Opera should come out and say it.