DigiNotar Hackers Used 'Advanced Tools' for Intrusion, Report Says
Hackers who attacked the Dutch firm DigiNotar used advanced tools for their intrusion and have been active for a long time, according to the preliminary investigation by the Dutch IT firm Fox-IT.
We found that the hackers were active for a longer period of time. They used known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced, the report said.
In at least one script, the hacker left fingerprints on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files that would reveal more about the creation of the signatures were deleted.
On July 19, DigiNotar detected an intrusion into its Certificate Authority infrastructure that resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
Around 300,000 unique requesting IPs to google.com have been identified. Of these, 99 percent originated from Iran.
Using a stolen certificate the hacker, or hackers, monitored people who visited Google, could steal their passwords and could obtain access to other services such as Facebook and Twitter, said Fox-IT.
The report also showed the following plain text left in script to generate signatures on rogue certificates:
While it was initially thought only a fraudulent *.google.com certificate had been issued, DigiNotar belatedly admitted that dozens of fraudulent certificates have been created, including certificates for the domains of Yahoo!, Mozilla, WordPress and The Tor Project. DigiNotar could not guarantee that all of them had been revoked.
Following is the timeline of DigiNotar attack:
Timeline
06-Jun-2011 | Possibly first exploration by the attacker(s) |
17-Jun-2011 | Servers in the DMZ in control of the attacker(s) |
19-Jun-2011 | Incident detected by DigiNotar by daily audit procedure |
02-Jul-2011 | First attempt creating a rogue certificate |
10-Jul-2011 | The first succeeded rogue certificate (*.Google.com) |
20-Jul-2011 | Last known succeeded rogue certificate was created |
22-Jul-2011 | Last outbound traffic to attacker(s) IP (not confirmed) |
22-Jul-2011 | Start investigation by IT-security firm (not confirmed) |
27-Jul-2011 | Delivery of security report of IT-security firm |
27-Jul-2011 | First rogue *.google.com OSCP request |
28-Jul-2011 | First seen that rogue certificates were verified from Iran |
04-Aug-2011 | Start massive activity of *.google.com on OCSP responder |
27-Aug-2011 | First mention of *.google.com certificate in blog |
29-Aug-2011 | GOVCERT.NL is notified by CERT-BUND |
29-Aug-2011 | The *.google.com certificate is revoked |
30-Aug-2011 | Start investigation by Fox-IT |
30-Aug-2011 | Incident response sensor active |
01-Sep-2011 | OSCP based on white list |
© Copyright IBTimes 2023. All rights reserved.