Up to 300,000 Iranian users may have been compromised in the attack on Dutch digital certificate authority (CA) DigiNotar, uncovered late last month.
The attack resulted in the issuance of 531 fraudulent certificates including wildcard certificates for *google.com.
A report released overnight revealed traces of hacker activity that began in June - nearly three months before the fraudulent Google wildcard certificate was revoked.
The investigation, dubbed Operation Black Tulip (pdf), also found fingerprints like those left by the hacker who attacked web authentication firm Comodo in March.
Investigators Fox-IT found that DigiNotar lacked basic security controls, logging, anti-virus or adequate password security, and servers were riddled with malware.
Almost all of the 300,000 unique IP addresses requesting access to google.com using the fraudulent certificate originated from Iran.
The remaining sources were relays used by the free TOR proxy anonymity network.
Report authors stated that DigiNotar had handed over the list of compromised IP addresses to Google, which would inform users that their Google accounts including Gmail may have been accessed.
“The hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored e-mails," Fox-IT reported.
"Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in Google Docs.
"Once the hacker is able to receive his targets' e-mail he is also able to reset passwords of others services like Facebook and Twitter using the lost password button. The login cookie stays valid for a longer period.”
The report was scathing of the security architecture in place at DigiNotar.
“The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.”
The investigators had “strong indications” that CA servers were accessible over the local area network, which had been "severely breached".
Servers that lacked anti-virus protections were hosting known malware. Tools that separated critical components were either malfunctioning or not installed.
Public-facing software was unpatched, secure central network logging did not exist and although DigiNotar's unnamed intrusion prevention systems were operational, they failed to block the attacks.
The ongoing and incomplete investigation into the attacks found the suspected Comodo attacker displayed prowess in a PKI script left on the affected DigiNotar servers.
Fraudulent certificates were issued for Facebook, Microsoft, Hotmail, Wordpress, Android, Microsoft update, and security firm CyberTrust among others.
 |
Report authors suspected the Dutch Ministry of Security and Justice, Dutch Bar Association and DigiNotar Root CA Administrative of releasing the fraudulent certificates.
The suspected Comodo hacker used the same callsign "Janam Fadaye Rahbarand", which investigators translated to: “I will sacrifice my soul for the leader.”
That script was used to generate DigiNotar signatures for certificates that were previously requested.
In March, the suspected attacker brazely boasted of issuing fraudulent certificates from CA Comodo.
Both attacks were linked to Iran.
The fraudulent Google wildcard certificate allowed for a variety of the companies' services to be misused to steal data from users.
DigiNotar lacked the ability to determine how many and which certificates were affected, so on 1 September set the Online Certificate Status Protocol (OSCP) to revoke certificates.
Those OSCP logs revealed “some activity” over the compromised wildcard *.torproject.org certificate but the investigation noted that it did not prove that rogue certificates “weren’t abused between the issue date and revocation date of the certificates” because applications may not have used the OCSP protocol to check for revoked certificates.
The investigation also determined that at least two external certificate servers were compromised. A variety of custom and off-the-shelf hacking tools such as Cain and Abel were found on the servers.
