300,000 Iranian IP Addresses Compromised In DigiNotar SSL Hack5:47 PM EST Tue. Sep. 06, 2011
Google Web mail was likely compromised for 300,000 Iranian customers by hackers issuing fraudulent security certificates following a cyber attack against Dutch certificate authority DigiNotar, according to investigators.
Certification authorities, or CAs, such as DigiNotar, digitally sign Web pages, which provides a trusted symbol authenticating online property protected by secure socket layer, or SSL.
Cyber criminals who hacked the DigiNotar SSL certificates were then given the ability to impersonate compromised domains, which allowed them to take control over all entered user content in order to execute spoofing and man-in-the-middle attacks.
IT consultancy firm Fox-IT, enlisted by DigiNotar to investigate the SSL hack dubbed Operation Black Tulip , revealed in an Interim Report Monday that numerous servers had been compromised by hackers originating from Iran between June 17 and July 22, resulting in a total of 534 certificates compromised.
DigiNotar found and revoked 128 rogue certificates by July 21, while more 75 fraudulent certificates were discovered and revoked by July 27th.
However, on July 29, the Dutch certificate authority discovered a fraudulent google.com certificate previously not detected. The Fox-IT report identified 300,000 unique IP requests to the phony Google.com domain, with 99 percent originating from Iran, suggesting that the hacks were intentionally executed to intercept and spy on Web communication of Iranian citizens.
"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” Fox-IT said in its report.
During its investigation, Fox-IT said that it “found traces of hacker activity with administrator rights” on the Qualified and PKIoverheid CA server, as well as on other CA servers, indicating that the servers were inadequately secured and patched.
“The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack,” Fox-IT said.
Upon further exploration, Fox-IT found that the servers lacked any antivirus protection and contained no secure central network logging system, while all installed software was ‘outdated and not patched.” In addition, the CA servers were members of one Windows domain, making it possible to access information by using one stolen user/password combination, which was ‘not very strong and could easily be brute-forced,” Fox-IT said.
The security firm didn’t identify the attackers, but said that at least one script included a digital fingerprint was identical to a fingerprint found during a similar hack against SSL certificate authority Comodo.
Earlier this year, hackers targeted Comodo by going after four of its resellers in attacks that enabled them to gain unauthorized access to sensitive data.
“In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011,” Fox-IT said.
The assertion coincides with a post on pastebin.com, in which an Iranian hacker who attacked Comodo resellers earlier this year also claimed responsibility for the recent DigiNotar hack.
Next: Comodo Hacker Admits Retaliatory DigiNotar Attack
The hacker said that the attack was in retaliation for the Dutch government’s failure to protect Srebrenica during the Bosnian War.
”I wanted to let the world know that ANYTHING you do will have consequences, ANYTHING your country, anything your country did in past, you have to pay for it,” the hacker said in the pastebin post.
“I thought if I issue certs from Dutch Gov. CA they’ll lose a lot of money,” he added. “When Dutch government, exchanged 8,000 Muslim for 30 Dutch soldiers and Animal Serbian soldiers killed 8,000 Muslims in sameday, Dutch government have to pay for it. Nothing is changed, just 16 years has been passed. Dutch government’s 13 million dollars which paid for DigiNotar will have to go DIRECTLY into trash.”
Fox-IT said it would hand the list of compromised IP addresses to Google so the search giant could inform their users that their e-mail, as well as the login cookies, could have been intercepted.
“Using this cookie, the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored e-mails. Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in GoogleDocs,” Fox-IT said.
Fox-IT warned the affected Iranian users that hackers could use the captured information to infiltrate and launch attacks other accounts, and advised them to change their login credentials altogether.
‘Once the hacker is able to receive his targets’ e-mail, he is also able to reset passwords of other services like Facebook and Twitter using the lost password button. The login cookies stay valid for a longer period,” Fox-IT said. ‘It would be wise for all users in Iran to at least logout and login but even better, change passwords.”