Adobe is revoking a cryptographic key used to confirm the authenticity of its applications after discovering it was compromised by attackers who abused it to validate malicious software.
The "inappropriate use" of the Adobe code signing certificate was pulled off by attackers who compromised a build server used to compile and package the company's applications, Adobe officials said in a statement published on Thursday. The server had access to the Adobe code-signing infrastructure, which forensic investigators have determined was used to sign two samples of malicious software.
"We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software," officials wrote. The private key associated with the code validation process was stored in hardware security modules and weren't extracted during the intrusion, Adobe investigators determined. There is no evidence that any source code was stolen.
One utility that was signed by the Adobe key was called pwdump7 v7.1. It "extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll," according to the statement. The second malicious utility is myGeeksmail.dll, which is an ISAPI filter. Such applications are often used by APT actors to more fully penetrate a targeted company's defenses after gaining a foot hold. APTs are highly targeted attacks in which attackers spend months or years casing a specific company to access its source code, blue prints, or other sensitive digital data. MD5 signatures of the malicious applications is here.
The key was used to sign more than 5,100 software samples, Mikko Hypponen, who is chief research officer at antivirus provider F-Secure, wrote in a message to Twitter.
"Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate," the statement concluded. "We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example). Please stay tuned for more details in the coming weeks."
This article was updated to correct information about the number of malicious samples found signed by the Adobe key.
reader comments
11