Opera says hackers pilfered code-signing certificate
Opera Software said Wednesday hackers pilfered from its internal systems at least one code-signing certificate that was used to sign malicious software.
The Oslo-based company, which makes a mobile and desktop web browser, wrote in a blog post that it believes a few thousand Windows users may have automatically installed malicious software between 01.00 and 01.36 UTC on June 19, the day the attack was detected and halted.
Code-signing certificates are used to cryptographically verify that a piece of software comes from its purported publisher. By using the certificate, it would have appeared to users that the malware was legitimate software from Opera, such as the company’s browser.
In its post, Opera included a link to VirusTotal, a website that tests malware samples against security programs to see if the malware is detected. The VirusTotal page shows the SHA256 hash of what is presumably the malware that used the expired code-signing certificate.
At the time of writing, just over half of the 47 security programs listed on VirusTotal that tested the sample detected it. The figure will likely rise as vendors tweak their programs to detect it.
Sigbjørn Vik, an Opera developer and quality assurance engineer, wrote that the certificate was expired, but did not reveal further details. The company said it has since cleaned its systems and that it does not believe user data was lost.
“We are working with the relevant authorities to investigate its source and any potential further extent,” Vik wrote.
Opera is planning to release a new version of its browser with a new code-signing certificate, but did not say when it will be available.