Comodo Fingers Iranian Hackers in Digital Certificate Heist

Thursday, March 24, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

UPDATE:  Iranian Hacker Claims Comodo Digital Certificate Heist

*   *   *

Comodo, an issuer of digital certificates which verify the legitimacy of websites, has publicly accused Iranian hackers of fraudulently obtaining digital certificates from one of the company's Registration Authorities in Europe.

The stolen digital certificates could be used to validate malicious websites that could be used to spread malware, intercept email communications, or perform other criminal activities.

The certificates were for some of the biggest companies on the Internet including Microsoft, Yahoo, Skype, and Google.

Comodo now believes the operation to secure the certificates was a state-supported action initiated by the Iranian government.

"We believe these are politically motivated, state-driven/funded attacks. One of the origins of the attack that we experienced is from Iran. What is being obtained would enable the perpetrator to intercept Web-based email/communication and the only way this could be done is if the perpetrator had access to the country's DNS infrastructure, and we believe it might be the case here," said Melih Abdulhayoglu, the CEO and founder of Comodo.

The incident comes just a week after reports surfaced that Iran is actively recruiting a cyber army in a effort to strengthen the nation's cyber defensive and offensive capabilities.

Brigadier Gen. Gholamreza Jalali, leader of Iran's Passive Defense Organization, stated that the military is preparing “to fight our enemies with abundant power in cyberspace and Internet warfare.”

Comodo's incident report states the following:

"The attacker was well prepared and knew in advance what he was to try to achieve.  He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him."

Our interpretation

  • The circumstantial evidence suggests that the attack originated in Iran.
  • The perpetrator has focused simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).
  • The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
  • The perpetrator has executed its attacks with clinical accuracy.
  • The Iranian government has recently attacked other encrypted methods of communication.
  • All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

If Comodo's assertions that this event was state-sponsored, this may be the first evidence of Iran's "cyber army" in operation and an indication that there will be more attacks to come.

Former members of Iran's military forces confirm that there is a concerted effort to gain a cyber offensive capability.

“There are many true believers in Iran who are highly educated and very savvy with computers. Cyberwarfare is cheap, effective and doesn’t necessarily cause fatalities. It makes much more sense for not-so-wealthy nation states to build up cyber warfare capability rather than investing in missiles and warships,” said Reza Kahlili, a former member of Iran’s Revolutionary Guard.

Microsoft issued the following security advisory about the fraudulent certificates:

Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. 

Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

These certificates affect the following Web properties:

•login.live.com

•mail.google.com

•www.google.com

•login.yahoo.com (3 certificates)

•login.skype.com

•addons.mozilla.org

•"Global Trustee"

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375.

Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.

Possibly Related Articles:
11238
Vulnerabilities
Google Microsoft Attack Iran Cyber Crime Digital Certificates Headlines hackers Comodo
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.