Report of incident on 15-MAR-2011<\/b><\/p>\n
An RA suffered an attack that resulted in a breach of one user account of that specific RA.
This RA account was then used fraudulently to issue 9 certificates (across 7 different domains).<\/p>\n
All of these certificates were revoked immediately on discovery.
Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation.<\/p>\n
Fraudulently issued certificates<\/b><\/p>\n
9 certificates were issued as follows:<\/p>\n
Domain: mail.google.com [NOT seen live on the internet]
Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E<\/p>\n
Domain: www.google.com [NOT seen live on the internet]
Serial: 00F5C86AF36162F13A64F54F6DC9587C06<\/p>\n
Domain: login.yahoo.com [Seen live on the internet]
Serial: 00D7558FDAF5F1105BB213282B707729A3<\/p>\n
Domain: login.yahoo.com [NOT seen live on the internet]
Serial: 392A434F0E07DF1F8AA305DE34E0C229<\/p>\n
Domain: login.yahoo.com [NOT seen live on the internet]
Serial: 3E75CED46B693021218830AE86A82A71<\/p>\n
Domain: login.skype.com [NOT seen live on the internet]
Serial: 00E9028B9578E415DC1A710A2B88154447<\/p>\n
Domain: addons.mozilla.org [NOT seen live on the internet]
Serial: 009239D5348F40D1695A745470E1F23F43<\/p>\n
Domain: login.live.com [NOT seen live on the internet]
Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0<\/p>\n
Domain: global trustee [NOT seen live on the internet]
Serial: 00D8F35F4EB7872B2DAB0692E315382FB0<\/p>\n
What didn\u2019t Happen<\/b><\/p>\n
Our CA infrastructure was not compromised.
Our keys in our HSMs were not compromised.
No other RA was compromised. No other RA user accounts were compromised.<\/p>\n
What Happened<\/b><\/p>\n
One user account in one RA was compromised.
The attacker created himself a new userID (with a new username and password) on the compromised user account.<\/p>\n
The attack came from several IP addresses, but mainly from Iran.<\/p>\n
IP Address: 212.95.136.18
City: Tehran
State or Region: Tehran
Country: Iran, Islamic Republic of
ISP: Pishgaman TOSE Ertebatat Tehran Network.
Latitude & Longitude: 35.696111 51.423056 <\/p>\n
The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him.<\/p>\n
Although they requested 9 certificates we do not know if they received all of these certificates.<\/p>\n
We know that they definitely received one of the certificates.
All certificates were revoked immediately on discovery.
Our systems indicate that when this one certificate was first tested it received a \u2018revoked\u2019 response from our OCSP responders.
The site in Iran on which the certificate was tested quickly became unavailable.<\/p>\n
We immediately got in touch with the principal browsers and domain owners and alerted them to what had happened.
There was a coordinated effort for a responsible disclosure.<\/p>\n
All relevant government authorities were informed and involved.<\/p>\n
The RA account in question has been suspended pending on-going forensic investigation.<\/p>\n
We immediately introduced new controls in the wake of this new threat to the authentication platform.<\/p>\n
Our interpretation<\/b><\/p>\n
The circumstantial evidence suggests that the attack originated in Iran.
The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).
The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
The perpetrator has executed its attacks with clinical accuracy.
The Iranian government has recently attacked other encrypted methods of communication.
All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.<\/p>\n
source: http:\/\/www.comodo.com\/Comodo-Fraud-Incident-2011-03-23.html<\/p>\n","protected":false},"excerpt":{"rendered":"