Wednesday, March 23, 2011

Cyber Attack From Iran

A well prepared attacker with an IP address originating in Tehran, Iran (212.95.136.18) compromised a user account in an RA (Registration Authority) at comodo.com, created themselves a new userID, and quickly generated CSRs (Certificate Signing Requests) for nine certificates.  Comodo is a certification authority present in the Trusted Root Certification Authorities Store on Microsoft Windows, as well as all modern web browsers such as Mozilla Firefox and Google's Chrome.

Given proper circumstances, the resulting certificates could be used to spoof content, conduct phishing attacks, and/or perform man-in-the-middle attacks against all popular browsers, across many platforms.  Using these certificates, the attacker could redirect a victim to a forged Firefox plug-in download page, and deliver them malicious add-ons to install.  The certificate would appear valid to the the browser, so there would be no warning to the user that something was amiss.  At that point, the attacker could control the lion's share of computer's in American homes.

However, upon discovery, all certificates were revoked.  This will make using the forged certificates much more difficult, and much less far reaching (unless other key components of our Internet infrastructure are also compromised, namely our DNS systems).  Comodo could only verify that one of the certificates generated was actually received by the attacker.  Comodo reported, "Our systems indicate that when this one certificate was first tested it received a 'revoked' response from our OCSP responders.  The site in Iran on which the certificate was tested quickly became unavailable."


It is believed that "this was likely to be a state-driven attack".

At least it looks that way.  Of course - in cyberspace - things aren't always what they seem.  The attack could have just as easily been conducted by an American Warhawk, who compromised a system in Iran, and launched the attack from there.  However, Comodo reported that, "The Iranian government has recently attacked other encrypted methods of communication."

In order to use these certificates maliciously, there would have to be additional DNS tom-foolery.  Do the attackers already have that piece of the attack 'in the bag'? 

You may recognize some of these domain names.  It looks like this was an attack against communications, as opposed to banks or online-shopping sites, as a criminal might attempt.


In any event - even though the certificates in question were revoked, Microsoft released a patch.  If you are running windows, you should apply that patch.


From the comodo release:

Fraudulently issued certificates

9 certificates were issued as follows:
Domain:  mail.google.com    [NOT seen live on the internet]
Serial:  047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain:  www.google.com  [NOT seen live on the internet]
Serial:  00F5C86AF36162F13A64F54F6DC9587C06

Domain:  login.yahoo.com  [Seen live on the internet]
Serial:  00D7558FDAF5F1105BB213282B707729A3

Domain:  login.yahoo.com    [NOT seen live on the internet]
Serial:  392A434F0E07DF1F8AA305DE34E0C229

Domain:  login.yahoo.com     [NOT seen live on the internet]
Serial:  3E75CED46B693021218830AE86A82A71

Domain:  login.skype.com     [NOT seen live on the internet]
Serial:  00E9028B9578E415DC1A710A2B88154447

Domain:  addons.mozilla.org     [NOT seen live on the internet]
Serial:  009239D5348F40D1695A745470E1F23F43

Domain:  login.live.com     [NOT seen live on the internet]
Serial:  00B0B7133ED096F9B56FAE91C874BD3AC0

Domain:  global trustee     [NOT seen live on the internet]
Serial:  00D8F35F4EB7872B2DAB0692E315382FB0

1 comment:

  1. Fraudulently issued certificates.. but this related with some big companies such as yahoo, google.

    ReplyDelete