Opera Data Breach Exposes Legions of Windows Users to Malware Attack

Hackers were able to obtain an expired code-signing certificate, which cyber-criminals have used to sign malware.

Browser vendor Opera Software disclosed June 26 that its network had been successfully attacked, enabling hackers to gain access to an expired Opera code-signing certificate.

The certificate has been used to sign malware, according to Opera, which added that user data was not affected in the attack.

"On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure," Opera's Sigbjørn Vik explained in a blog post. "Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent."

The attackers were able to obtain at least one old and expired Opera code signing certificate, which they used to sign some malware, Vik added. This allowed them to distribute malware under the guise of software published by Opera Software or that appears as the Opera browser.

According to Opera, it is possible that a few thousand Windows users using Opera between 1:00 and 1:36 UTC on June 19 may have automatically received and installed the malicious software. As a precaution, Opera stated, the company will roll out a new version of the browser using a new code signing certificate.

The breach shows the importance of heavily protecting cryptographic keys and certificates, said Jeff Hudson, CEO of data encryption management firm Venafi.

"Organizations' failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want," said Hudson.

Opera Software's security breach "paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected and carry out their nefarious activities without working up a sweat," he added.

Protecting digital certificates can be problematic for enterprises. In February, a Venafi-sponsored survey of Global 2000 organizations in five countries by the Ponemon Institute found that 51 percent of respondents did not know how many keys and certificates they have in use, which further complicates security, Hudson said.

"While Opera Software was quick to react and remediate in this instance, this is merely one more example in a storied list of breaches that leverage stolen or compromised certificates and keys," Hudson said.

"Unplanned outages from expired certificates can no longer be viewed as an inconvenient IT operations issue; rather these common outdates are symptomatic of much larger security vulnerabilities," he said. "It’s become clear that certificate-based attacks have become the attack vector of choice. Organizations must implement effective controls to ensure the safety of their network."

Currently, Opera has a relatively small footprint in the Web browser market, holding a market share of 1.95 percent of all desktop browsers as of May, according to NetApplications.

"Users are strongly urged to update to the latest version of Opera as soon as it is available, keep all computer software up to date, and to use a reputable anti-virus product on their computer," blogged Vik. "For more information about the malware, including which anti-virus applications can detect it, virustotal has a good overview."