Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Adobe Revoking Code Signing Certificate Used To Sign Malware

Hackers Breached An Adobe Server To Gain Access To Code Signing Infrastructure

Adobe will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe’s credentials.

Hackers Breached An Adobe Server To Gain Access To Code Signing Infrastructure

Adobe will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe’s credentials.

The malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Brad Arkin, senior director of security for Adobe products and services, wrote on the Adobe Secure Software Engineering Team blog on Thursday. The company traced the certificates to a compromised build server, at which point the certification signing infrastructure was decommissioned, Arkin wrote.

Adobe Code Signing CertificateAdobe plans to revoke the impacted certificate on Oct. 4 for all software code signed after July 10. An interim service will resign affected products.

After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Arkin wrote. The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said.

So far, Adobe has not seen any evidence of compromise related to any other sensitive information such as Adobe source code or customer, financial or employee data.

The revocation would only affect Adobe software signed with the affected certificate that runs on Windows, as well as three Adobe AIR applications (Adobe Muse, Adobe Story AIR, and Acrobat.com desktop services) that run on both Windows and Mac OS X, Arkin said.

The revocation will not impact any other Adobe software on Macs and other platforms.

Adobe is waiting till Oct. 4 to revoke the certificate to provide time for customers, especially administrators in managed environments, who may need to take action beforehand, Wiebke Lips, an Adobe spokesperson, told SecurityWeek.

Advertisement. Scroll to continue reading.

The build server was infected with malware, which is probably how attackers gained access to the machine in the first place, Arkin said. It is likely the attackers gained access to another Adobe machine and “leveraged standard advanced persistent threat (APT) tactics” to access the build server, Arkin said.

When asked whether the certificates had been stolen, Lips said, “Definitely not!” The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. Adobe has confirmed during the course of its investigation the private key associated with the Adobe code signing certificate was not extracted from the Hardware Security Module, Lips explained.

The “vast majority” of Adobe customers on Windows will not be affected. Adobe has seen the only two malicious utilities and the evidence indicates that the certificate was not used to sign widespread malware, Lips said.

The pwdump7 v 7.1 utility extracts password hashes from the Windows operating system and myGeeksmail.dll is a malicious ISAPI filter, according to the blog post. Adobe does not believe versions of the ISAPI filter are publicly available.

Adobe is currently re-signing applications using the interim service, which also has “offline human verification” to ensure that all files are valid Adobe products. The company is also in the process of deploying a “new, permanent signing solution.”

System administrators should keep an eye out for security software updates to defend against these utilities, Arkin recommended. They can also create a Software Restriction Policy via Group Policy to disallow the execution of malicious utilities. Moving the impacted Adobe certificate to the Windows Untrusted Certificate Store does not appear to block these utilities from executing.

“Adobe does not recommend using the Untrusted Certificate Store in this situation,” Arkin said.

According to Adobe, most customers won’t notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions.

“A small number of customers, in particular administrators in managed Windows environments, may need to take certain action,” Adobe said.

“Certificate-based compromises are becoming as common as phishing attacks and malware infections,” Jeff Hudson, CEO of Venafi told SecurityWeek. “Adobe’s admission that one of its certificates has been hijacked is another example of why organizations that rely on this most basic trust technology need to have a strategy in place for quickly identifying, revoking and replacing them when they have been compromised.” 

“Unfortunately, most organizations wait until a disaster strikes before taking action, hopefully this will serve as a wake-up call to all enterprises that there is simply no excuse for not having a remediation plan in place,” Hudson added.

To determine if your organization is impacted, you can view the Security Certificates update page. 

Additional reporting by Mike Lennon

Related: Microsoft Certificate Was Used to Sign “Flame” Malware

Related: Comodo Certificates Used to Sign Banking Trojans in Brazil  

Related: CAs – A Means to Advanced Security, But Not the End  

Related: Microsoft Update Forces Min Certificate Key Length of 1024 Bits

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.