In September, Adobe detected two malwares that were legitimately signed by Adobe! Having a valid signature of a trusted source like Adobe was a compelling advantage for these malwares. As one of the malwares was not publicly available, the likelihood that it was to be used with an Advanced Persistent Threat (APT) is extremely high.
Did a signing private key leak out as it was the case for Yahoo in May? Adobe performed an extensive forensics analysis. They discovered that one build server had been compromised. This build server could submit software for signature. According to Adobe, the configuration of the server was not at the proper Adobe standard of security. As it was a server that was compromised, this means that the private key stored in a Hardware Secure Module (HSM) was not compromised. Adobe had also the proof that this server requested the signature of the malwares. They believe that the attackers accessed first another server and then moved laterally to control this build server. Once the server controlled, the attackers requested the signature of their malware. This is a typical scheme for APT. It means also that the signed malware should also be used by other steps of this APT, which target was not Adobe.
Adobe has informed in details about the attack. The signing key has been revoked on October 4, 2012. Very proper job.
Once more, we see that APT become more and more sophisticated. Large organizations are clearly under serious threats (I will come back on that topic in one of my future posts.)