Adobe scrambles to revoke stolen cert Adobe has revealed an attack that compromised some of its software development servers, resulting in its code signing certificate being used to disguise malware as Adobe software. The attackers compromised a build server, Adobe says in this statement, which had “access to the Adobe code signing infrastructure”. The build …
I've seen quite a bit of malware that causes system crashes, slows things down, and opens back doors. All of it was signed with Adobe certificate. Some of it is was even integrated into the browser and would prompt to install or update itself when visiting certain sites. Another vector was files with .pdf extension. Upon trying to open one, you would be prompted with a request to download the malware. I'm not sure in what way this is news.
Anyone with a clue about security knows that you never, ever connect critical machines like that to the internet.
The simplest secure method I have seen is that the dev and test network has an internal-only cert for testing code and various builds, when a build passes it gets burned to a disc and taken to the build server where it is then built and burned onto another disc which gets put uploaded as the release version.
Nearly every machine (Including servers) contains a DVD-RW drive so all its costing you is the hour or so to pay someone to make the discs and about $0.05 for the disc itself. Helps with auditing too, as you know exactly who would have access to the code-signing cert.
Trouble is those writers tend to start faltering over time. And even then, optical drives (and the logical alternative, USB thumb drives) become infection vectors in and of themselves, particularly ones capable of penetrating the air-gap (think Stuxnet--it used USB to jump an air-gap).
So, think a rootkit on the publishing server, secretly infects any optical disc written and any USB drive inserted, this jumps the airgap, gets inserted, infects the build server, sniffs out the private keys, then goes on to infect the return vector, which waits to find a network connection, and then sends the key juice back.
Let's face it; if an adversary really, REALLY wants to have at it, cross every network you have to reach it. Even Sneakernet.
@ AC 08:00...Build Server
that would make sense if the compromised products only ran on Windows, but Adobe state this also affects 3 Adobe Air products running on Mac. So it's not a dead cert to be a Windows platform (sorry, I could't resist!)
Yes, it was likely to be running Windows, but Danny 4 @ 07:02 was just repeating the old nonsense that Windows is insecure while Linux is not.
And more to the point, what about the point-of-entry machine that the bad guys first compromised and used to attack into the Build Server?
It was a actually in reply to the attack vectors suggested by Charles 9. I am not aware of the server OS used. Debian servers have been attacked in the past but this was via a compromised dev account and not bugs in Linux. Bad configuration of the Adobe server seems likely.
Though all software can have bugs and be poorly configured, I'm pretty sure most are happier their servers run Linux than IIS. I know I am.
Put the server in the Lead Dev's office or some other office inside the main building, since it doesn't need network access, it can be located anywhere. It could even be a basic quad core desktop, build servers don;t need much in the way of resources when all you are building is releases.
The press release dated 27th September notes that :
"The revocation of the impacted certificate for all code signed after July 10, 2012 is planned for 1:15 pm PDT (GMT -7:00) on Thursday October 4, 2012."
So, the compromise of the cert occurred on 10th July, but they only discovered this by chance when some malware signed by an Adobe cert was submitted some months later. That's not exactly a shining example of security auditing is it.
The also state that:
"We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server "
Apart from the weasel words (why can't they say "attackers" rather than "Threat Actors"), this suggests that a separate machine was compromised and used for some period of time before the compromise of the cert. Has that machine been isolated and what was the mechanism of access to that machine?
"Scrambling" (as per the article title) suggests a fast reaction. Good that they took immediate action upon validation of the compromised cert, but they don't say what date that was and they don't explain why it will take at least 7 days (27th Sept to 4th Oct) to revoke and implement a new Cert. Hardly seems to be "scrambling" when it takes 7 days...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
