Opera breached, has code cert stolen, possibly spreads malware – advice on what to do
“On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments. The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser. It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate“.
The conclusions we reached, based on the announcement above, were:
- The network was breached.
- A code-signing key was stolen.
- Malware has been signed with it and circulated.
- At least one infected file was posted on an Opera server.
- That file may have been downloaded and installed by Opera itself.
- Cleanup and remediation has now been done at Opera.
- That sounds a bit more like Security breach not stopped.
- How else could a signed-and-infected file have been automatically downloaded by an already-installed instance of Opera? Anyway, wouldn’t Opera’s auto-update have failed or produced a warning due to the expired certificate? Until Opera has worked out the answer to these questions, Opera users probably want to assume the worst.
The good news is that the malware involved is widely detected by anti-virus tools, and the period of possible exposure via Opera itself was at most 36 minutes.
→ According to Opera, Sophos products block the offending file as Mal/Zbot-FG.
So, if you are an Opera for Windows user:
- Download a fresh copy of the latest version (since the buggy download appears to be a thing of the past).
- Make sure your anti-virus is up to date.
- If you can spare the time, do an on-demand (“scan now”) check of your computer.
- If we find out more detail about whether malware was distributed by existing Opera installations or not, we’ll let you know.
You can read the original article, here.