Adobe is revoking a cryptographic key used to confirm the authenticity of its applications after discovering it was compromised by attackers who abused it to validate malicious software.
The “inappropriate use” of the Adobe code signing certificate was pulled off by attackers who compromised a build server used to compile and package the company’s applications, Adobe officials said in a statement published on Thursday. The server had access to the Adobe code-signing infrastructure, which forensic investigators have determined was used to sign two samples of malicious software.
“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” officials wrote. The private key associated with the code validation process was stored in hardware security modules and weren’t extracted during the intrusion, Adobe investigators determined. There is no evidence that any source code was stolen.
Read 4 remaining paragraphs | Comments