The news yesterday that Adobe had been compromised and that the attackers were able to get valid Adobe signatures on a pair of malware utilities is one of the more worrisome and troubling stories in what has become a year of huge hacks and historic change in the security industry. Adobe was forthcoming with many of the details of the attack, but the ones that were omitted are the ones that really make a difference in this instance.
As in most of these cases, what we know is mostly the results of the attack. We know that the attackers found a weak spot somewhere on Adobe’s corporate infrastructure and found a way in. Adobe has not identified what the vulnerability was, where the compromised machine sat on its network or how the attackers were able to compromise it in the first place. Was it a phishing email, a la the RSA hack? Or was it something less pedestrian? We don’t know.
We do know that once the attackers were inside, they began moving around until they found the machine that they were really interested in: a build server. They got there by using what Brad Arkin, Adobe’s top security and privacy official, said were techniques typically seen from APT-style attackers.
“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” Arkin said.
So once the attackers had access to the Adobe build server, they simply requested signatures for their malicious utilities, got them, and went on their merry way. The attack itself is somewhat interesting, but what’s most interesting is what the attackers went after once they were on the network. They weren’t so much interested in Adobe’s corporate assets or source code, but rather the company’s reputation. They wanted the authority that came along with having their utilities signed with a legitimate Adobe certificate.
If that sounds familiar, it’s because that tactic is similar to one used by the Flame malware authors. In that case, the attackers were able to find a hash collision that enabled them to forge a Microsoft certificate and sign some components of the malware. They then set up a Windows Update server and had clients on a compromised network connect to it, rather than the real WU server, to download the Flame malware.
The fact that Adobe was the target of a similar kind of attack should come as no surprise, really, as those attackers have been targeting the company’s applications for years. Adobe Flash is the most widely deployed application in the world and its other apps, including Reader and Acrobat, are favorite targets of attackers looking for ways to compromise high-value systems. In the last couple of years, most of the zero-day vulnerabilities found in the company’s software have been discovered by attackers at the top of the food chain, Arkin said, and that pattern fits the attack announced yesterday, as well.
“In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries,” Arkin said in a keynote speech at the United Security Summit last year. “These are the groups that have enough money to build an aircraft carrier. Those are our adversaries.”
One interesting thing to come out of Adobe’s public remarks on the attack is the fact that the attackers were not able to get to the Adobe key directly. The key was stored in a hardware security module in a physically protected location, rather than in software. That’s a plus. The bad news is that the attackers found another way to get what they wanted, and a clever way at that.
So has the attack on Adobe given us any new information or insight into the tactics of the high-level attackers working right now? Not really. We knew that they are resourceful, knowledgeable, patient and smart. And we knew that they are going after the biggest targets in the U.S.: software companies, utilities, financial services companies, government agencies and defense contractors.
What this latest incident does is underscore each of those points and emphasize, again, how difficult it is for even the most well-funded and sophisticated organizations to defend against these attackers. Such is life at the top of the food chain.