Comodo Web Certificates Heist Linked To Iranian ISP

While it is worrying that attackers were able to obtain a trusted certificate for a domain not under their control, it was only a small step in a larger attack, Brian Trzupek, Trustwave’s vice president of managed identity and SSL, told eWEEK. Even with the certificates in hand, they would have still needed to tamper with the domain name server infrastructure to direct users to the malicious site holding the fraudulent certificate before they could have done any harm, according to Trzupek.

According to Comodo’s incident report, attackers requested nine certificates, but definitely received only one before the account was suspended. Comodo was not clear whether the attackers ever received the remaining certificates.

Rapid Action Prevented Larger Exploit

The March 15 breach was detected fairly quickly, so by the time the attackers got around to testing one of the certificates, it had already been revoked, according to Comodo.

The first step in this complicated attack required attackers to somehow compromise a Comodo trusted partner in Southern Europe, Comodo said. While Comodo did not specify the nature of the data breach, the partner had several login credentials to other online accounts stolen, as well, Comodo wrote in its blog post.

“It is likely that this cert type was combined with another attack vector to allow the attacker to gain access to the certificate,” Trzupek said.

The certificates themselves were not the ultimate goal. One of the domains the attacker targeted was the Mozilla Firefox add-on update server. Once users were redirected to the malicious site, the attackers could have injected arbitrary code into the Web browser or conned users looking for Firefox plug-ins that downloaded Trojans or key-loggers from the fraudulent site, Trzupek said. That would have been the final payoff for the attackers, whether it is gaining access to financial accounts, data theft or compromising the host machine, Trzupek said.

Comodo also noted that the targeted domains would have been of “greatest use” to a government attempting surveillance of Internet use by dissidents, especially considering the recent turmoil in North Africa and the Persian Gulf region.

The issued SSL certificate is generally a “domain validation only” certificate, Trzupek said. These types of certificates usually undergo automated validation where human review does not occur, he said.

While this attack affected only the Comodo certificate authority and not others, this could have had bigger implications as all Web browsers that trust Comodo as a root authority would have been affected, said Trzupek. For example, Comodo is included as a trusted root certification authority on all supported versions of Microsoft Windows.

Users should make sure to be on modern and fully updated browsers, as well as ensure they have not disabled CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) security checks in the browser.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

View Comments

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

20 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

21 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

22 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago