Security Experts:

Opera Software Hit by 'Infrastructure Attack'; Malware Signed with Stolen Cert

Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware.

The company did not provide specifics of the breach or provide any details on the subsequent malware attacks that took advantage of Opera’s update service.

“The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,” Opera warned in a brief advisory.

The breach, which was discovered on June 19, 2013, was described as a targeted attack with limited impact.

“Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments,” Opera said.

However, Opera warned that it was possible that thousands of Windows users who were using the browser between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

Related Podcast: CSO Brad Arkin on Defending the Vault at Adobe

Opera plans to roll out a new version of its flagship browser which will use a new code signing certificate. There was no immediate word on when the new version will be released.

Falguni Bhuta, Sr. Communications Manager from Opera Software, told SecurityWeek that due to the ongoing investigation, they cannot talk about the incident in more detail.  

"At the moment, we cannot go into details, as the matter has been reported to the authorities and is under investigation," Bhuta said in an email to SecurityWeek. "This seems to be the result of a significant, targeted attack from sophisticated hackers, similar to the attacks towards other big web companies over the last year."

The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users.

It closely resembles the September 2012 attack at Adobe where a build server with access to the Adobe code signing infrastructure was compromised by what was described as “sophisticated threat actors.”

Stolen digital certificates are typically used in targeted attacks to sign malicious files for privilege escalation and lateral movement within an environment following an initial machine compromise.

In a recent SecurityWeek podcast, Brad Arkin, who was recently named as Adobe’s first Chief Security Officer (CSO), discussed a recent trend where attackers have shifted to targeting company infrastructure and operations, such as code-signing infrastructure, rather than attacking the software itself. 

“We’ve gotten to the point where its hard enough to attack our software, that it’s now more attractive for bad guys to attack the engineering infrastructure that we use to build and operate our services and our code than it is to attack the services directly,” Arkin said.

Related PodcastCSO Brad Arkin on Defending the Vault at Adobe

*Updated at 4:15PM ET to include response from Opera Software

Ryan is the host of the podcast series "Security Conversations - a podcast with Ryan Naraine". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.