FBI Warns of Potential for Cyber Attacks from Iranian Group

  • -

FBI Warns of Potential for Cyber Attacks from Iranian Group

In a confidential report to US businesses, the FBI warned of techniques
that have been used by an Iranian group believed to be responsible for
attacks against computer networks at defense contractors, energy
companies, and colleges and universities around the world. The warning
follows a report from Cylance about Operation Cleaver, the name for the
group’s activity.

This might be the group responsible for worldwide attacking CA’s.

Article: The Register

  • -

NSA gebruikte valse certificaten van gehackt DigiNotar

Een slide uit een NSA-presentatie waarin DigiNotar wordt genoemd zou volgens Bruce Schneier duiden op een mogelijke betrokkenheid van de inlichtingendienst bij de hack van Diginotar. Een andere optie is dat NSA vervalste SSL-certificaten van het Nederlandse bedrijf bij de hacker zelf heeft gestolen. Het betreffende NSA-document is in handen van een Braziliaans tv-programma en is afkomstig van klokkenluider Edward Snowden.


“Een screenshot impliceert dat de DigiNotar-hack of het werk was van de NSA of door de NSA gebruikt werd”, stelt Schneier. NRC Handelsblad schrijft dat Schneier er ‘zeker van is’ dat er ‘sprake is van een link tussen NSA en DigiNotar’. Schneier werkte mee aan de analyse van de documenten. “De hack was òf het werk van NSA, òf is misbruikt door NSA.” Schneier werkt voor het Britse telecombedrijf BT.

De NSA verzamelt op grote schaal kwetsbaarheden in browsers en computers en zou zo ook vervalste certificaten van DigiNotar hebben aangemaakt. Fantastico toonde een document waaruit blijkt dat de NSA zich voordeed als Gmail en Hotmail via een zogeheten man in the middle-aanval: webverkeer wordt ongemerkt omgeleid via een derde persoon, die kan meelezen in mails en andere communicatie. Cybercriminelen gebruiken deze methode vaak om internetbankierders om de tuin te leiden.

NSA bespioneerde zo onder meer het Braziliaanse oliemaatschappij Petrobras. Ook Google zelf zou zijn afgeluisterd, net als SWIFT, een bedrijf dat communicatie tussen financiële instellingen afhandelt.

Uit een uitgelekte presentatie blijkt dat NSA-agenten getraind worden om netwerken te penetreren van bedrijven, overheden en financiële instellingen. De geheime dienst zegt op jacht te zijn naar transacties tussen terroristische organisaties. Ook zou met de afgetapte informatie een wereldwijde financiële crisis bijtijds gesignaleerd kunnen worden. De NSA beweert daarbij bedrijfsgeheimen te ontzien.

Gezien de eerder door ons gepubliceerde tijdlijn en schaal van aantallen gehackte Certified Authorities binnen een (1) jaar is deze theorie van Schneider niet gek. Zeker niet als bedacht wordt dat hackers, ook al is dat overheid, zich afschermen en het goed zou uitkomen als sporen naar een Iraanse hacker leiden. Als is dit een niet bewezen scenario.

De DigiNotar-hack werd ontdekt toen een Iraanse Gmail-gebruiker een vreemde melding kreeg in Chrome. Google heeft zijn browser voorzien van aanvullende certificaatcontrole, wat het valse certificaat blootlegde. De hack leidde tot de ondergang van DigiNotar.


Bruce Schneider:

New NSA Leak Shows MITM Attacks Against Major Internet ServicesThe Brazilian television show “Fantastico” exposed an NSA training presentation that discusses how the agency runs man-in-the-middle attacks on the Internet. The point of the story was that the NSA engages in economic espionage against Petrobras, the Brazilian giant oil company, but I’m more interested in the tactical details.

The video on the webpage is long, and includes what I assume is a dramatization of an NSA classroom, but a few screen shots are important. The pages from the training presentation describe how the NSA’s MITM attack works

Article: NRC

Article: Schneider.com

  • 1

TurkTrust doesn’t appear to be result of CA attack

The problem with TURKTRUST doesn’t appear to be the result of an attack on the CA, though. Rather, it seems to have been a mistake. Still, Google officials said they plan to update Chrome again in the near future to remove the extended validation status of any current EV certificate issued by TURKTRUST. We published about Turktrust here.

The Turktrust case is eerily reminiscent of one in 2011 in which an attacker was able to issue to himself a valid wild card certificate for Google, as well as several other high-value sites. That attack on the Comodo certificate authority involved the attacker stealing credentials for a registration authority connected to Comodo in Europe and then issuing the certificates. The same attacker later took credit for a similar compromise of DigiNotar, a Dutch CA that eventually went out of business as a result of the compromise. We published about Diginotar here.

Adam Langeley, Software Engineer, stressed at Google Online Security Blog at Thursday, January 3, 2013 10:01 AM:

“Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the “*.google.com” domain. We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.

In response, we updated Chrome’s certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors.

Our actions addressed the immediate problem for our users. Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed.

Since our priority is the security and privacy of our users, we may also decide to take additional action after further discussion and careful consideration.”

This raises also questions about the CA-system. See also our forum discussion.

Article: Google

Article: Threatpost



  • 2

TURKTRUST CA Compromised

Microsoft publicly announced a release to actively “untrust” three certificates issued by Certificate Authority TURKTRUST and its Intermediate CAs, a subsidiary of the Turkish Armed Forces ELELE Foundation Company. According to Microsoft, the company made a couple major mistakes resulting in fraudulent certificate issuance that could be used to MiTM encrypted communications or spoof gmail and a long list of other google properties. A Chrome installation detected a “an unauthorized digital certificate for the “*.google.com” domain” late the night of Dec. 24th 2012.

The incident was first detected by Google. Their blogpost says that Chrome detected the issue. That’s interesting, because it implies that Chrome has some ability to detect (and report back to Google) attempts to MitM connections to Google.com.
“The case occurred in August 2011 during a software migration operation, before the first successful ETSI TS 102 042 audit which took place in November 2011. The sequence of events that led to the mistaken issuance of two certificates can be best summarized as follows: Prior to June 2011, the certificate profiles on the production system were exported to the test system, containing a particular number of certificate profiles. For the sake of testing purposes, 2 more profiles were added that contain CA extensions,” Mert Ozrar of TURKTRUST, wrote in a description of the incident

An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.

TURKTRUST is reaching out on various forums to present their findings on the problem. In the past, they have actively used manufacturer and vendor forums to request inclusion of their certificates in the trusted root authority store of various products. So while this communication may seem somewhat extraordinary, they have been this open in the past.

Source: mozilla.dev.security.policy:

“A few technical details about the case by TURKTRUST
Please find some critical points below about the root cause of the instance:
• The case occurred in August 2011 during a software migration operation, before the first successful ETSI TS 102 042 audit which took place in November 2011. The sequence of events that led to the mistaken issuance of two certificates can be best summarized as follows:
  • Prior to June 2011, the certificate profiles on the production system were exported to the test system, containing a particular number of certificate profiles.
  • For the sake of testing purposes, 2 more profiles were added that contain CA extensions.
  • In the meantime, the production system was also updated to meet the need of demand to contain 3 more SSL certificate profiles. Hence the production system and the test system appeared to have different number of profiles by one, and the two sets matched only in the profiles at the date of the first data migration.
  • The tests were completed before June 30, 2011. It was the unfortunate event that the production system was patched with the profiles in the test system, which had happened to contain 2 wrong profiles and lacked 3 correct profiles.
  • The wrong profiles were only used on August 8, 2011 to issue those two faulty certificates which were certainly not intended to be sub-CA certificates.
  • A certificate request on the 10th of August had called the use of one of the missing profiles, which was drawn to attention by a thrown exception. In order to fix this the whole set of certificate profiles was this time replaced to contain all correct profiles. Therefore the problem had been fixed once and for all although the unfortunate event that the certificates were mistakenly issued remained hidden.
It is assured that, this clearly identifies the root cause that led to the generation of faulty certificates. All related data resides in archives, and the sequence was all traced back to understand what really had happened. The system had been finally updated on October 17, 2011 and went through a successful ETSI TS 102 042 audit by KPMG on November 2011.
Although the system is now immune to any such kind of errors, further preemptive measures are implemented as described below:
One is a post process control for the certificates issued; the other is a run time control checking the certificate profile for end users.
Via the post process control, the validity period, basic constraints, CRL distribution point, Authority Info Access (AIA) and the other profile details are checked after certificate generation according to the certificate requirements coming from respective certificate policies before the certificate is delivered to the end customer. The post process control is planned as a separate and independent service from the certificate generation module of the CA software. Via the run time control, the basic constraints are restricted to the end user certificates.
Both controls have already been implemented. All OCSP requests and CRL data have already been analyzed to detect any anomaly during the entire period. The data revealed no anomaly at all.
The following issues are also worth considering at the moment:
  1.  One of the mistakenly issued certificates has been revoked before putting into use upon the request of the customer.
  2. The other certificate was reported to sign a fraudulent certificate (*.google.com) on December 6, 2012.
  3. Before the December 6, 2012, the certificate was installed on an IIS as a web mail server.
  4. On December 6, 2012, the cert (and the key) was exported to a Checkpoint firewall. It was the same day as the issuance of the fraudulent certificate (*.google.com).
  5. The Checkpoint firewall was said to be configured as MITM. It appears that the Checkpoint automatically generates MITM certificates once a CA cert was installed (http://www.gilgil.net/communities/19714)
  6. The second certificate was immediately revoked as soon as it was brought to TURKTRUST’s attention by Google on December 26, 2012.
  7. The available data strongly suggests that the *.google.com cert was not issued for dishonest purposes or has not been used for such a purpose.
  8. There is certainly not a bit of data to show an evidence of a security breach on TURKTRUST systems.”

The interpretation of the Checkpoint MiTM usage for sniffing communications with Google properties seems especially interesting. Apparently, someone exported an intermediate CA certificate from a IIS webmail server that was issued in August 2011, created a *.google.com fraudulent certificate, installed the CA cert on a Checkpoint “SSL Inspection” device all in the same day months after the original certificates were mistakenly issued.

This looks similair as the Comodohacker who was also responsible for the DigiNotar hack. We published about that before

Article: Securelist

Article: Mozilla

Article: Threatpost

  • 3

Certification Authority Breaches; was Diginotar the only one?

2011 was a year of data breaches of CA’s. At least from an Information Security Perspective.  The Certification Authority authentication model was hacked several times.One of them was declared Bankrupt: Diginotar. This company was compromised by the infamous Comodo Hacker. However he had already compromised other Certification Authorities earlier that year. The hacks seamed to be for political reasons. And as a retaliation for Stuxnet.

The attacks against CA’s started virtually in 2010. This was Stuxnet itself. It was the first malware using a driver signed with a valid certificate beloning o Realtek Semiconductors Corps.After that, there were about eleven other breaches; eavesdropping (Comodo Hacker), malware driver signatures, or compromised servers.


Jan 25 2011, Stuxnet
The Stuxnet driver is discovered to be signed with a valid certificate, belonging tp Realtek Semiconductor Corps. On July 16 2011, Verisign revokes Realtek Semiconductor Corps certificate.
Article: Symantec

Mar 24 2011, Comodo
As a revenge for Stuxnet, an Iranian Hackers forges fake certificates for Google email services.
Article: Pastebin

Aug 29 2011, Diginotar
A user finds a certificate warning about a revoked SSL certificate Google services. The certificate was issued on July 10th by Dutch Diginotar. The fake certificate was forged by Comodo Hacker, and revoked immediately.
Article: Sophos

Sep 6 2011, Diginotar, Globalsign and StartCom
The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. The Commodo Hacker also claims to own more CA’s among wich GlobalSign which precaution ally suspends issuance of certificates. Another one was StartCom was able to avoid the hack since it’s CEO was sitting in front of HSM, although the attacker claims to own emails, DB and Customer data.
Article: Pastebin

Sep 7 2011, Symantec
As a consequence of Comodo Hacker’s claims, Symantec releases a statement to reassure their customers their infrastructure has been audited and it is not compromised.
Article: Symantec

Sep 7 2011, Thawte
Panic is spreading on the Certification Authority industry. Thawte publishes a similar announcement than Symantec after an erroneous report from a Dutch Government agency  according to which the Security firm had been breached.
Article: Thawte

Sep 9 2011, GlobalSign
After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website.
Article: Globalsign

Oct 19 2011, Duqu
Researches discover that Duqu, the son of Stuxnet, masks itself als legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, identified by F-Secure, as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware.
Article: Wired

Nov 3 2011, Digicert Malaysia
Mozilla announces to revoke another intermediate signing certificate used by a registrar in Malasia, DigiCert Sdn.Bhd.  (Not the same as the US based DigiCert) which had issued 22 weak certificates ( RSA 512) to the Malaysian government that could lead to abuse or compromise. Entrust stated that two of the certificates issued were used to sign malware used in a spear phishing attack against another Asian certificate authority. Three other certificates were also involved, but were not issued by DigiCert Sdn.Bhd.
Article: Sophos

 Nov 4 2011, Getronics (KPN)
After Diginotar, another Dutch certificate authority, KPN, stops issuing digital certificates as a precaution after finding an attack DDoS tool during an audit on a server in it’s Web infrastructure. The tool may have been there for as long as four years.
Article: Threatpost

Nov 14 2011, Malasian Agricultural Research an Development Institute
F-Secure detects a malware signed with a Governmental Signing Key belonging to mardi.gov.my which is part of the Government of Malaysia. According the information received from the Malaysian authorities this certificate has been stolen “quite some time ago:.
Article: F-Secure

Dec 8 2011, Gemnet (KPN)
Another Dutch Certification Authority breached: security firm Gemnet suffers a data breach including administrative credentials. Parent company KPN has suspended sister company Gemnet CSP’s certificate signing operations.
Article: Sophos

Dec 2012: Director of Diginotar Tony de Bos starts a new company: Cybbos

CYBBOS is a innovative and fast-growing organization who specializes in preventing, detecting and resolving incidents on the field of cyber security. Their philosophy is not only to prevent but also detect and resolve incidents quickly, as organization by continuous control.
Website: Cybbos


Diginotar was not the only one. Out of eleven breaches in one year (2011), three Dutch companies were involved: Diginotar, Getronics (KPN) and Gemnet (KPN). However Diginotar was hacked before.
Article: F-Secure

KPN seems to be more vulnerable, in february 2012 KPN got hacked again:
Article: Telecompaper
And this time the hacker was arrested:
Article: Computerworld


What happend with the Comodo Hacker?

According to the Dutch Government nobody was found or arrested, the investigation blead to death.  Article: Computable (Dutch)

Related articles:
De opkomst en ondergang van Diginotar (Dutch)



Innovice-IT on Twitter

  1. Bas Eikelenboom
    Bas Eikelenboom: RT @Miltenburg_14: Sinterklaas helpen gestolen pakjes naar de kinderen terug te brengen #Sinterklaas #dankbaar #blijekinderen @PolitieUtrec

  2. Bas Eikelenboom
    Bas Eikelenboom: RT @Byte_Fighter: De politiechatbot Wout is actief! @Politie https://t.co/NInnWbzWdj

  3. Bas Eikelenboom
    Bas Eikelenboom: RT @UID_: Now all DNS goes via CloudFlare too. This thread is only getting longer, what the F are we doing?! When can I stop quoting this t…

  4. Bas Eikelenboom
    Bas Eikelenboom: RT @InfoSecHotSpot: Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20 percent from 1.5 million in 2015, accordin…

  5. Bas Eikelenboom