Report of Incident on 15-MAR-2011
An RA suffered an attack that resulted in a breach of one user account of that specific RA. This RA account was then used fraudulently to issue 9 certificates (across 7 different domains). All of these certificates were revoked immediately on discovery. Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation.
Fraudulently Issued Certificates
9 certificates were issued as follows:
Domain: mail.google.com [NOT seen live on the internet]
Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E
Domain: www.google.com [NOT seen live on the internet]
Serial: 00F5C86AF36162F13A64F54F6DC9587C06
Domain: login.yahoo.com [Seen live on the internet]
Serial: 00D7558FDAF5F1105BB213282B707729A3
Domain: login.yahoo.com [NOT seen live on the internet]
Serial: 392A434F0E07DF1F8AA305DE34E0C229
Domain: login.yahoo.com [NOT seen live on the internet]
Serial: 3E75CED46B693021218830AE86A82A71
Domain: login.skype.com [NOT seen live on the internet]
Serial: 00E9028B9578E415DC1A710A2B88154447
Domain: addons.mozilla.org [NOT seen live on the internet]
Serial: 009239D5348F40D1695A745470E1F23F43
Domain: login.live.com [NOT seen live on the internet]
Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0
Domain: global trustee [NOT seen live on the internet]
Serial: 00D8F35F4EB7872B2DAB0692E315382FB0
[...]
Our Interpretation
- The circumstantial evidence suggests that the attack originated in Iran.
- The perpetrator has focused simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).
- The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
- The perpetrator has executed its attacks with clinical accuracy.
- The Iranian government has recently attacked other encrypted methods of communication.
- All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.
Microsoft Security Advisory (2524375)
Fraudulent Digital Certificates Could Allow Spoofing
http://www.microsoft.com/technet/security/advisory/2524375.mspx
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
-----------------------------------------------------------------
Cyber Attack Attribution is Inherently Difficult
Seems like a very effective method to enable a government to man-in-the-middle their own citizens for surveillance purposes. However, based on just the public information, the attribution to Iran should be taken with a gain of salt.
July 15, 2010: US Congress - Planning For The Future of Cyber Attack Attribution
'Given that the Internet is intended to be open and anonymous, the attribution of cyber attacks can be very, very difficult to achieve and should not be taken lightly." - Congressman David Wu (Chairman, Subcommittee on Technology and Innovation, Committee on Science and Technology)
Errata Security - No Reason to Believe Comodo Attack Came From Iran
http://erratasec.blogspot.com/2011/03/no-evidence-comodo-compromise-was-from.html
In the end, if you are responsible for information / cyber security of a corporation, it doesn't really matter if it is 16 year old kids or Iran - you don't want them on your network and you don't want them stealing your data. Period.
Have you ever seen Hacker's response:
ReplyDeletehttp://pastebin.com/74KXCaEZ
Thanks LikeLearning, I haven't seen this.
ReplyDeleteIt is important to that it is impossible to verify as an outsider, a person without internal knowledge of the hack, if this is real.
The person that wrote it says "I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists..." - indicating the person is in Iran (or at least wants people to think he is in Iran) and is pro-Iranian gov.
Well, if a state manages to get in your network is one thing, but if some 16 year olds manage to get it, there seems to be a bigger problem :)
ReplyDelete