14 DAY TRIAL // Opera representatives say they’ve “halted and contained” a targeted attack against the company’s internal networks.
According to Opera’s Sigbjørn Vik, the attack took place on June 19. While there is no evidence that any user data has been compromised, the attackers have managed to cause some damage.
First of all, they stole at least one old and expired Opera code signing certificate, which they used to sign malware.
“This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,” Vik noted in a blog post.
Since it’s possible that a few thousand Windows users who utilized Opera between 1:00 and 1:36 UTC on the day of the breach might have automatically received and installed malicious software, the company is rolling out a new version of the web browser that will use a new code signing certificate.
Opera is working with authorities on trying to determine the source and full extent of the breach.
“Organizations’ failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want,” Jeff Hudson, CEO of encryption key and digital certificate management provider Venafi, told Softpedia.
“Today’s Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected and carry out their nefarious activities without working up a sweat,” Hudson added.
“To make matters worse, fifty-one percent of organizations surveyed by the Ponemon institute admitted that they do not know how many keys and certificates are in use. So, while Opera Software was quick to react and remediate in this instance, this is merely one more example in a storied list of breaches that leverage stolen or compromised certificates and keys,” he said.
“Unplanned outages from expired certificates can no longer be viewed as an inconvenient IT operations issue, rather these common outdates are symptomatic of much larger security vulnerabilities. It’s become clear that certificate-based attacks have become the attack vector of choice.”