Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Opera Software Hit by ‘Infrastructure Attack’; Malware Signed with Stolen Cert

Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware.

The company did not provide specifics of the breach or provide any details on the subsequent malware attacks that took advantage of Opera’s update service.

Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware.

The company did not provide specifics of the breach or provide any details on the subsequent malware attacks that took advantage of Opera’s update service.

“The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,” Opera warned in a brief advisory.

The breach, which was discovered on June 19, 2013, was described as a targeted attack with limited impact.

“Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments,” Opera said.

However, Opera warned that it was possible that thousands of Windows users who were using the browser between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

Related Podcast: CSO Brad Arkin on Defending the Vault at Adobe

Opera plans to roll out a new version of its flagship browser which will use a new code signing certificate. There was no immediate word on when the new version will be released.

Falguni Bhuta, Sr. Communications Manager from Opera Software, told SecurityWeek that due to the ongoing investigation, they cannot talk about the incident in more detail.  

“At the moment, we cannot go into details, as the matter has been reported to the authorities and is under investigation,” Bhuta said in an email to SecurityWeek. “This seems to be the result of a significant, targeted attack from sophisticated hackers, similar to the attacks towards other big web companies over the last year.”

The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users.

It closely resembles the September 2012 attack at Adobe where a build server with access to the Adobe code signing infrastructure was compromised by what was described as “sophisticated threat actors.”

Stolen digital certificates are typically used in targeted attacks to sign malicious files for privilege escalation and lateral movement within an environment following an initial machine compromise.

In a recent SecurityWeek podcast, Brad Arkin, who was recently named as Adobe’s first Chief Security Officer (CSO), discussed a recent trend where attackers have shifted to targeting company infrastructure and operations, such as code-signing infrastructure, rather than attacking the software itself. 

“We’ve gotten to the point where its hard enough to attack our software, that it’s now more attractive for bad guys to attack the engineering infrastructure that we use to build and operate our services and our code than it is to attack the services directly,” Arkin said.

Related PodcastCSO Brad Arkin on Defending the Vault at Adobe

*Updated at 4:15PM ET to include response from Opera Software

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.