Upon being convinced of the authenticity of the digital certificate used to sign the said malware apps, the company decommissioned its existing code signing infrastructure and launched an investigation. According to Brad Arkin, senior director of product security and privacy at Adobe, the investigation led the company to a build server that had been compromised.
“We have identified a compromised build server that required access to the code signing service as part of the build process,” Atkins wrote in a post on the Adobe Secure Software Engineering Team (ASSET) blog Thursday. “Although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process. We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies.”
But how did the attackers manage to get in? The company claims to have found the mechanism they used to compromise the build server, which was itself found to be infected with malware: “We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM [Hardware Security Module]. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.”
The company feels that this issue does not pose a general security risk. A more likely scenario, according to the company, is one which involves the use of these digitally signed utilities “during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise.”
“Adobe is currently investigating what appears to be the inappropriate use of an Adobe code signing certificate for Windows,” the company said in a FAQ about the issue, which is said to only affect Adobe Muse, Adobe Story AIR applications and Acrobat.com desktop services. “To maintain trust in genuine Adobe software, we plan to revoke the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012. We are in the process of issuing updates signed using a new digital certificate for all affected products.”
General security risk or not, this is a highly troubling development. What do you think?