Several thousand Opera users may have been presented with script redirecting them to a server hosting malware as a result of a hack of the Opera network and theft of a code-signing certificate.
A new version of the browser is available and Opera representatives urge users to update as soon as possible.
“We know what time period this redirect was in place for, and we know how many users were sent to the affected server, but we have no way of identifying these users,” said Opera developer and QA specialist Mark Wilton-Jones. “We also have no way of knowing what happened to them once they were redirected away, but we have strong reasons to believe at least some of them were presented with malware.”
The malware, according to a published scan by VirusTotal, is a Trojan capable of opening back door communication to a third-party server where keylogging and other data-stealing malware may be installed.
The certificate was used, Opera said, to sign the malware and present it as Opera software. The certificate was old and used to sign Opera 12.00; it expired on Jan. 29, however according to Opera it will still install.
“Attempting to install this file works in common scenarios, even though the certificate is expired,” Wilton-Jones said. “This is controlled by the OS, not us, although in the future it would certainly be possible to run our own checks on the certificate of downloaded auto-updates, in addition to those imposed by the OS.”
While antimalware protection or User Access Controls in Windows should block the installation, not all versions of Windows perform these certificate checks. Also, some users may disable UAC.
“Even for users who were presented with malware, we don’t know how many actually installed it,” Wilton-Jones said. “It might have failed due to issues with the certificate, being blocked by anti-virus, or due to problems with the connection or download.”
Opera said the network intrusion happened on June 19 between 01.00 and 01.36 UTC, and that the network was cleaned in short order. “The active attack on Opera users ended shortly after it began,” Opera developer Sigbjorn Vik said, adding that because of security reasons, they could not comment on the details of how the attackers compromised the Opera network. Vik also said this was the only code-signing certificate stolen and no user data or passwords to Opera Link were stolen. Opera Link is a service that synchronizes browser data across devices.
Opera did caution that Opera 15 uses the same autoupdate server as Opera 12, meaning that some users could have been affected too.
“It took us some time to determine the extent of the attack, and find out exactly what had happened. The best way forward would have been to release a new version of Opera, with a new certificate, at the same time as we published these details,” Wilton-Jones said in explaining the delay between discovery and disclosure. “We received the new certificate on Monday, but due to technical issues, we were not able to ship an update as of yesterday, so we decided to release the details even without the update, rather than wait any longer.”
Attackers have successfully used stolen code-signing certificates to sign malware in the past, most notably in attacks against Adobe and Microsoft, putting the onus on organizations to keep crypto keys safe.
“Organizations’ failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want,” said Jeff Hudson, CEO of key management company Venafi, who added that most companies aren’t clear on their inventory of keys and certificates.
“Unplanned outages from expired certificates can no longer be viewed as an inconvenient IT operations issue, rather these common outages are symptomatic of much larger security vulnerabilities,” Hudson said. “It’s become clear that certificate-based attacks have become the attack vector of choice. Organizations must implement effective controls to ensure the safety of their network.”