Adobe's Digital Certificate Hack Highlights Trend

Anthony Freed
By | October 04, 2012

Posted in: Network Security Trends

That software you are downloading has a valid digital certificate so it can be trusted to be legitimate, right? Not necessarily. Compromised digital certificates have been key to the successful dissemination of some of the most dangerous malware strains discovered to date, including Stuxnet, Flame, Zeus, Mediyes, and the Lethic botnet.

Now Adobe is investigating a breach of the company's digital certificate code signing infrastructure that allowed for the creation of at least two malicious utilities accompanied by valid Adobe certificates which could have allowed malware to infect protected networks.

Adobe began mitigation efforts after receiving a sample of the first known malicious utility, pwdump7 v7.1 which is primarily used for password hash extraction. The second utility in question, myGeeksmail.dll, is a malicious ISAPI filter that is not publicly available and should pose no immediate threat.

The fraudulent certificates affect products that run on the Windows platform and three Adobe AIR applications designed for both Windows and Macintosh. The company believes that the malicious utilities were most likely created for use in targeted attacks consistent with advanced persistent threat (APT) attacks.

"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," Adobe's Brad Arkin explains.

The company indicated they have identified a compromised build server that led to the creation of the certificates, and are taking appropriate steps to revoke certificates signed after July 10, 2012. The certificate revocation will occur at 1:15 pm PDT on Thursday October 4, 2012. Adobe will also issue updates for the affected products.

"Customers should not notice anything out of the ordinary during the certificate revocation process.  Details about what to expect and a utility to help determine what steps, if any, a user can take are available on the support page on Adobe.com," Arkin continued.

The Adobe incident is the latest example of digital certificate insecurity that puts end users at risk of compromise. The use of valid digital certificates by hackers to spread malicious code is alarming to say the least, as the trend undermines confidence in protocols designed to protect critical systems.

"Because certificates have gained a level of trust they are now targets of attack. They are the crown jewels and deserve extraordinary measures to protect," said Richard Stiennon, Chief Research Analyst at IT Harvest.

Rafal Los, senior security strategist at HP Software agrees with Stiennon's assessment, and emphasizes the importance of maintaining trust in a digital business environment.

“Digital Certificates are foundational to ‘trust’ on the Internet.  Strong key management, including defensible and hardened storage and signing mechanisms are absolutely critical to a security strategy on the Internet.  Since you can’t physically shake someone’s hand to verify their identity, certificates have become the de-facto mechanism for trust and identification.  Attackers naturally go after the highest value target – targeting these ‘trust’ mechanisms.  Whether you’re talking about cloud computing, mobility, or identity – that foundation for digital trust must be understood, maintained and protected as crucial assets," Los told Security Bistro via email.

You May Also Be Interested In: