Adobe server hacked and malware signed with stolen digital certificates

adobe security breach

Hackers have broken into a internal server at Adobe and steal a code signing certificate that allows them to sign their malware files with a valid certificate.

The security breach was uncovered after adobe coming across two malicious "utilities" that appeared to be digitally signed with a valid Adobe cert. It is unclear how or whether those files were used in the wild to target anyone.

One of the malicious utility is pwdump7 v7.1 which extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll. The second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter.

Adobe has planned to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate.

This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.

Valid digital certificates being used for illegitimate purposes have become a preferred hacker ploy of late. Most recently, the authors of the Flame virus used rogue Microsoft certificates.

Share this with Your friends: