300,000 Iranian IP Addresses Compromised In DigiNotar SSL Hack


Google Web mail was likely compromised for 300,000 Iranian customers by hackers issuing fraudulent security certificates following a cyber attack against Dutch certificate authority DigiNotar, according to investigators.

Certification authorities, or CAs, such as DigiNotar, digitally sign Web pages, which provides a trusted symbol authenticating online property protected by secure socket layer, or SSL.

Cyber criminals who hacked the DigiNotar SSL certificates were then given the ability to impersonate compromised domains, which allowed them to take control over all entered user content in order to execute spoofing and man-in-the-middle attacks.

IT consultancy firm Fox-IT, enlisted by DigiNotar to investigate the SSL hack dubbed Operation Black Tulip , revealed in an Interim Report Monday that numerous servers had been compromised by hackers originating from Iran between June 17 and July 22, resulting in a total of 534 certificates compromised.

DigiNotar found and revoked 128 rogue certificates by July 21, while more 75 fraudulent certificates were discovered and revoked by July 27th.

However, on July 29, the Dutch certificate authority discovered a fraudulent google.com certificate previously not detected. The Fox-IT report identified 300,000 unique IP requests to the phony Google.com domain, with 99 percent originating from Iran, suggesting that the hacks were intentionally executed to intercept and spy on Web communication of Iranian citizens.

"The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” Fox-IT said in its report.

During its investigation, Fox-IT said that it “found traces of hacker activity with administrator rights” on the Qualified and PKIoverheid CA server, as well as on other CA servers, indicating that the servers were inadequately secured and patched.

“The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack,” Fox-IT said.

Upon further exploration, Fox-IT found that the servers lacked any antivirus protection and contained no secure central network logging system, while all installed software was ‘outdated and not patched.” In addition, the CA servers were members of one Windows domain, making it possible to access information by using one stolen user/password combination, which was ‘not very strong and could easily be brute-forced,” Fox-IT said.

The security firm didn’t identify the attackers, but said that at least one script included a digital fingerprint was identical to a fingerprint found during a similar hack against SSL certificate authority Comodo.

Earlier this year, hackers targeted Comodo by going after four of its resellers in attacks that enabled them to gain unauthorized access to sensitive data.

“In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011,” Fox-IT said.

The assertion coincides with a post on pastebin.com, in which an Iranian hacker who attacked Comodo resellers earlier this year also claimed responsibility for the recent DigiNotar hack.

Next: Comodo Hacker Admits Retaliatory DigiNotar Attack