Opera infrastructure hacked and digital certificate stolen

Opera software revealed that its infrastructure was attacked and a digital certificate has been stolen to sign malware and to deceive victims.

On June 19^th Opera suffered a cyber attack that was uncovered and contained by the same software company, the news has been provided by Opera with an official advisory published Wednesday morning.

“On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments.

The evidences suggest a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign instances of a malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.”

The attackers penetrated Opera network and have stolen at least one digital certificate used to distribute malware, once again hackers used digitally signed malicious code to elude defense mechanisms of targets. There are several details not still clear on the attack for example the source of the attack, the real number of servers compromised and the number of digital certificates stoles.

The software signed with the digital certificate appeared to be published by the browser maker deceiving the victims. Despite there is no evidence that user’s data has been exposed the incident could have serious repercussions, it is likely that hackers signed the code to disguise it as Opera software or update with the consequence that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may have received and installed the signed malicious code.

System administrators and security team at Opera have cleaned the servers, the company doesn’t provide further info on the incident.

How hackers accessed to the storage of Opera digital certificates and which is the nature of malicious code used by the attackers?

No data are available regarding the compromised server meanwhile Opera team suggested to consult the information provided by VirusTotal to have more details on the instance of malware detected.

As usual in this case it is suggested to potential victims to sanitize their system and update to the last version of the software provided by compromised firm, in this case Opera company urges users to "update to the latest version of Opera as soon as it is available, keep computer software up to date, and to use a reputable antivirus product on their computer."

The investigation is still ongoing, personally I have many doubts that the Opera company has mitigated the data breach, the attackers have deployed at least one infected file an Opera server and the malicious content may have been downloaded and installed by Opera itself, this is a failure under security perspective.

Last doubt that I have is related to the fact that, according to the advisory, the stolen certificate was expired, but in this case does Opera's auto-update alerted the user or stopped software update?

Fortunately the majority of antivirus on the market are able to detect the malware and the timing window of the exposure to the malware was limited at most 36 minutes.