It recently came out that some malware authors had signed their code with legitimate Adobe certificates to avoid detection. According to Adobe, the attackers were able to bypass the extensive security surrounding the firm’s certificate signing key.
How did the attackers get around a hardware security module and a physically secured location? They got into a build server and simply requested signatures for their malicious code, as if they were Adobe developers.
Two lessons are worth learning from this, I think.
Security needs to be both rigorous and thorough. Locking down one area with shiny security tech may distract you from a more mundane vulnerability elsewhere. Any security plan has to methodically consider all possible routes, not just all conceivable ones.
Once that’s done, plan assuming your last plan might fail at any point or at a point you’ve failed to consider.
(It may sound like I’m suggesting security requires spending hours making diagrams on a blackboard like you’re pulling a hack, but doing it informally works too. Mostly you need practice, and experience having your ideas measures red teamed/offensively tested.)
““We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” Arkin said.
So once the attackers had access to the Adobe build server, they simply requested signatures for their malicious utilities, got them, and went on their merry way. The attack itself is somewhat interesting, but what’s most interesting is what the attackers went after once they were on the network. They weren’t so much interested in Adobe’s corporate assets or source code, but rather the company’s reputation. They wanted the authority that came along with having their utilities signed with a legitimate Adobe certificate. […]
“Adobe Flash is the most widely deployed application in the world and its other apps, including Reader and Acrobat, are favorite targets of attackers looking for ways to compromise high-value systems. In the last couple of years, most of the zero-day vulnerabilities found in the company’s software have been discovered by attackers at the top of the food chain, Arkin said, and that pattern fits the attack announced yesterday, as well.
“In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in a keynote speech at the United Security Summit last year. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”
One interesting thing to come out of Adobe’s public remarks on the attack is the fact that the attackers were not able to get to the Adobe key directly. The key was stored in a hardware security module in a physically protected location, rather than in software. That’s a plus. The bad news is that the attackers found another way to get what they wanted, and a clever way at that.”