U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Opera infrastructure hacked and digital certificate stolen

Opera software revealed that its infrastructure was attacked and a digital certificate has been stolen to sign malware and to deceive victims. On June 19th Opera suffered a cyber attack that was uncovered and contained by the same software company, the news has been provided by Opera with an official advisory published Wednesday morning. “On June […]

Opera infrastructure hacked and digital certificate stolen

Opera software revealed that its infrastructure was attacked and a digital certificate has been stolen to sign malware and to deceive victims.

On June 19th Opera suffered a cyber attack that was uncovered and contained by the same software company, the news has been provided by Opera with an official advisory published Wednesday morning.

“On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments.

The evidences suggest a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign instances of a malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.”

The attackers penetrated Opera network and have stolen at least one digital certificate used to distribute malware, once again hackers used digitally signed malicious code to elude defense mechanisms of targets. There are several details not still clear on the attack for example the source of the attack, the real number of servers compromised and the number of digital certificates stoles.

The software signed with the digital certificate appeared to be published by the browser maker deceiving the victims. Despite there is no evidence that user’s data has been exposed the incident could have serious repercussions, it is likely that hackers signed the code to disguise it as Opera software or update with the consequence that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may have received and installed the signed malicious code.

System administrators and security team at Opera have cleaned the servers, the company doesn’t provide further info on the incident.

How hackers accessed to the storage of Opera digital certificates and which is the nature of malicious code used by the attackers?

No data are available regarding the compromised server meanwhile Opera team suggested to consult the information provided by VirusTotal to have more details on the instance of malware detected.

Opera malware digitally signed

 

As usual in this case it is suggested to potential victims to sanitize their system and update to the last version of the software provided by compromised firm, in this case Opera company urges users to “update to the latest version of Opera as soon as it is available, keep computer software up to date, and to use a reputable antivirus product on their computer.”

The investigation is still ongoing, personally I have many doubts that the Opera company has mitigated the data breach, the attackers have deployed at least one infected file an Opera server and the malicious content may have been downloaded and installed by Opera itself, this is a failure under security perspective.

Last doubt that I have is related to the fact that, according to the advisory, the stolen certificate was expired, but in this case does Opera’s auto-update alerted the user or stopped software update?

Fortunately the majority of antivirus on the market are able to detect the malware and the timing window of the exposure to the malware was limited at most 36 minutes.

Pierluigi Paganini

(Security Affairs – Opera, malware, digital certificate )