Software maker Adobe posted a note yesterday about the discovery of two malicious utilities signed with the vendorâ€™s digital code signing certificate and released into the wild.
According to the advisory, the digital certificate was not stolen, manipulated or otherwise forcefully applied â€“ the two applications were signed by submitting them to the Adobe highly-controlled code signing infrastructure, where the company keeps private keys and applies digital signatures to products.
â€œWe have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate,â€ reads the advisory. â€œThis only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.â€
Among files inappropriately signed with the companyâ€™s certificate are a password grabber, an open-source SSL library used to encrypt traffic and an ISAPI filter. An ISAPI filter is a DLL file that, once installed on a web server, allows an attacker to transparently manipulate information coming to and from the server, creating a flawless man-in-the-middle attack.
Because of the nature of the signed applications, it is believed the attackers were planning to use them in a highly targeted attack â€“probably to deploy on a system that restricts the installation of software to digitally signed files only. This technique was used by the Stuxnet worm in 2010 and allowed it to stay hidden for more than half a year.
â€œSophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk.â€
The build server appears to have been breached in early July, judging by the timestamp of the rogue files, which means that – most likely – the attackers have been using these files for about three months. Adobe will revoke the certificate on October 4, rendering it invalid.