Comodo Web Certificates Heist Linked To Iranian ISP

A Comodo Security partner was compromised and attackers issued valid digital certificates for popular Websites that would have potentially allowed them to spoof content and perform man-in-the-middle attacks, Microsoft warned.

The nine fraudulent Web certificates affected seven domains, including Microsoft Live service, Google’s mail system, Yahoo and Skype, Microsoft said in a March 23 security advisory. There are no active attacks at this time, according to Bruce Cowper, group manager of trustworthy computing at Microsoft.

Revoked Certificates Removes The Sting

Comodo has revoked these certificates, and the malicious certificates are listed in Comodo’s current Certificate Revocation List, according to Comodo. No Web browser should be accepting the incorrect certificates at this time, Comodo said.

The perpetrators would have been able to spoof content, perform phishing attacks or perform man-in-the-middle attacks only if they had control of the Domain Name System infrastructure as well, Comodo said.

Comodo said the attack originated from an IP address assigned to an Internet service provider in Iran. One certificate for Yahoo’s login page was tested using a server in Iran, but had already been revoked and was blocked from being used, according to Comodo’s incident report.

The server in question has stopped responding to requests. The IP address and server information may be circumstantial evidence as the attacker could have been attempting to lay a false trail, Comodo said. However, the company also noted that the Iranian government has recently attacked other encrypted methods of communication.

Iranian Government Could Be Implicated

Unlike a typical cyber-criminal, who would have targeted financial organisations, this particular attacker focused on communications infrastructure. The targeted domains would be of “greatest use” to a government attempting surveillance of Internet use by dissidents, especially considering the recent turmoil in North Africa and the Persian Gulf region, Comodo said.

Comodo believes this was likely a state-driven attack. This is the first time Comodo is seeing a “state funded” attack against the authentication infrastructure, said Melih Abdulhayoglu, CEO and chief security architect of Comodo.

The attacker obtained the user name and password of a Comodo trusted partner in Southern Europe who was authorised to perform primary validation of certificate requests, Comodo wrote on its blog. The attacker used the stolen credentials to log in to the Comodo RA (root authority) account, and issued those certificates on March 15, according to the post.

“The attacker was well-prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs [certificate signing requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him,” Comodo said.

The attacker was still using the account when the breach was identified and the account suspended, possibly preventing more certificates from being issued, Comodo said. Remediation efforts began “immediately”, and additional audits and controls have been deployed. Comodo has declined to specify details regarding controls that were implemented.

Comodo root keys, intermediate CAs or secure hardware were not compromised, the company said. The attacker created a new user account, which has also been suspended. Comodo is “not yet clear” about the nature of the partner’s data breach other than the fact that the partner’s other online accounts were also compromised, he said.

Users who have enabled Online Certificate Status Protocol on their Web browsers will interactively validate these certificates and block them from being used. Comodo has monitored the OCSP responder traffic and has not detected any attempts to use the certificates after they were revoked, according to the incident report.

The certificates were issued for “Global Trustee” as well as for the following URLs: login.live.com, mail.google.com, google.com, login.skype.com and addons.mozilla.org. There were three certificates issued for login.yahoo.com, as well. Only one of the certificates for Yahoo was seen live on the Internet, according to the incident report. Comodo is not sure if the attackers received all the requested certificates in the first place.

Microsoft has developed a mitigation update, which is available through the Microsoft Download Center and the Windows Update Service. Customers can download the update to help protect against inadvertent use of the fraudulent digital certificates, said Microsoft’s Cowper.

While it is worrying that attackers were able to obtain a trusted certificate for a domain not under their control, it was only a small step in a larger attack, Brian Trzupek, Trustwave’s vice president of managed identity and SSL, told eWEEK. Even with the certificates in hand, they would have still needed to tamper with the domain name server infrastructure to direct users to the malicious site holding the fraudulent certificate before they could have done any harm, according to Trzupek.

According to Comodo’s incident report, attackers requested nine certificates, but definitely received only one before the account was suspended. Comodo was not clear whether the attackers ever received the remaining certificates.

Rapid Action Prevented Larger Exploit

The March 15 breach was detected fairly quickly, so by the time the attackers got around to testing one of the certificates, it had already been revoked, according to Comodo.

The first step in this complicated attack required attackers to somehow compromise a Comodo trusted partner in Southern Europe, Comodo said. While Comodo did not specify the nature of the data breach, the partner had several login credentials to other online accounts stolen, as well, Comodo wrote in its blog post.

“It is likely that this cert type was combined with another attack vector to allow the attacker to gain access to the certificate,” Trzupek said.

The certificates themselves were not the ultimate goal. One of the domains the attacker targeted was the Mozilla Firefox add-on update server. Once users were redirected to the malicious site, the attackers could have injected arbitrary code into the Web browser or conned users looking for Firefox plug-ins that downloaded Trojans or key-loggers from the fraudulent site, Trzupek said. That would have been the final payoff for the attackers, whether it is gaining access to financial accounts, data theft or compromising the host machine, Trzupek said.

Comodo also noted that the targeted domains would have been of “greatest use” to a government attempting surveillance of Internet use by dissidents, especially considering the recent turmoil in North Africa and the Persian Gulf region.

The issued SSL certificate is generally a “domain validation only” certificate, Trzupek said. These types of certificates usually undergo automated validation where human review does not occur, he said.

While this attack affected only the Comodo certificate authority and not others, this could have had bigger implications as all Web browsers that trust Comodo as a root authority would have been affected, said Trzupek. For example, Comodo is included as a trusted root certification authority on all supported versions of Microsoft Windows.

Users should make sure to be on modern and fully updated browsers, as well as ensure they have not disabled CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) security checks in the browser.