10-01-12 | Blog Post
Adobe announced on September 27th that two malicious utilities were signed by a valid Adobe digital certificate. Brad Arkin, Adobe’s products and services senior director of security, said the cause was a compromised build server. This particular server had access to the Adobe code signing infrastructure. The attackers got in and dug around until they found the server, using what Arkin calls APT-type (Advanced Persistent Threat) methods.
Arkin says of the attack, “our investigations to date [have] shown no evidence that any other sensitive information- including Adobe source code or customer, financial, or employee data- was compromised”, implying that the attackers were more interested in obtaining the authority that comes with Adobe’s reputation.
This affects Adobe software signed with the certificate after July 10th that are running on Windows. There were three Adobe Air applications that were affected as well, these running on either Windows or Mac.
It was also noted that the build server only had access to the source code of one Adobe product. Arkin says the product was not Flash, Reader, or Shockwave. The certificate is slated to be removed October 4th. Currently, Adobe is still investigating where the weak spot was within the infrastructure that allowed the attackers to compromise the machine, and the process with which it was done.
Resources: Threatpost.com: Valid Adobe Certificate Used to Sign Malicious Utilities Common in Targeted Attacks.