Someone claiming to be the person behind last week’s attack on a registration authority tied to Comodo
has posted an explanation of the methods he supposedly used and the
reasons for the attack. The rambling, disjointed message claims that the
Comodo attack was not the act of an organized, state-sponsored group,
but was instead the work of a lone actor who stumbled upon a way in.

The message, which was posted on Pastebin on Saturday, is signed with the phrase “Janam Fadaye Rahbar.”

“I was looking to hack some CAs like Thawthe, Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn’t enough to gain access to server to sign my CSRs. During my search about InstantSSL of Comodo, I found InstantSSL.it which was doing same thing under control of Comodo. After a little try, easily I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing. It was coded in C#. Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account. GeoTrust reseller URL was not working, it was in ADTP.cs,” the message says. “Then I found out their Comodo account works and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs. I had no idea of APIs and how it works. I wrote a code in C# for signing my CSRs using POST request to APIs, I learned their APIs so FAST and their TrustDLL.DLL was too old and was sending too little parameters, it wasn’t enough for signing a CSR. As I said, I rewrote the code for !AutoApplySSL and ! PickUpSSL APIs, first API returns OrderID of placed Order and second API returns entire signed certificate if you pass OrderID from previous call. I learned all these stuff, re-wrote the code and generated CSR for those sites all in about 10-15 minutes.”

The writer makes a point of saying that he is not part of the Iranian Cyber Army or any other organized crew and disputes the claims by Comodo that the attack was backed by a government agency. He claims that he went into Comodo’s infrastructure through the Italian site of one of its subsidiaries, InstantSSL. That site is down for maintenance right now.

The
alleged attacker also wrote in his message that the attention that the
attack was justified because of the apparent lack of repercussions for
whomever wrote the Stuxnet malware, which he blames on the U.S. and Israel.

“When
USA and Israel write Stuxnet, nobody talks about it, nobody gots
blamed, nothing happened at all, so when I sign certificates nothing
happens, I say that, when I sign certificates nothing should
happen. It’s a simple deal. When USA and Israel could read my emails in Yahoo, Hotmail, Skype,
Gmail, etc. without any simple little problem, when they can spy using
Echelon, I can do anything I can. It’s a simple rule. You do, I do,
that’s all. You stop, I stop,” he wrote.

The message’s author also had a parting shot for Mozilla, Google and Microsoft.

“To microsoft, mozilla and chrome who updated their softwares as soon as instructions came from
CIA. You are my targets too. Why Stuxnet’s Printer vulnerability patched after 2 years? Because it was need in Stuxnet? So you’ll learn sometimes you have to close your eyes on some stuff in internet, you’ll learn… You’ll learn,” he wrote.

Categories: Data Breaches, Social Engineering, Vulnerabilities

Comments (3)

  1. Eric Dorman
    1

    This hack seems politically motivated. I think he may strike again at either Google or Mozilla.

  2. Osyoniusx
    2

    Sounds like a cover up on what was done by the Iranians. What motive does he have otherwise to write such a thing. It is not without persuasion, but what individual could do all of that so simply, and then feel free to throw out counter-challenges effectively setting himself at war with the US.

    As for Iran, they struck first. And again and again, sponspering major terrorist strikes against the US in various countries through the Middle East. They also constantly declare themselves at combat with the US. What advantage is it to the US to be at war with them? Zero. Except for defensive.

    Defensive, it is nuts. We are forced into this situation.

    The nonsense about mossadegh and supporting the shah… is just that: nonsense. Yes, we did, but in both cases we were simply working with who was in power, or who the people wanted in power. Some can say “you should not support the brutal”, but what choice is there? Look at the guys who took over after the Shah. It is the difference between Pepsi and Coke. Brutal savagery either way.

    What is sad, though, is most Americans are not aware of Iranian terrorist attacks against the US through Iranian intelligence. They are good at what they do.

    Had these guys gotten away with the attack without discovery, they never would have a need to cover their asses like this. There would have been no email insisting we put down our guns so they can shoot us in the face.

    Ox

     

     

     

     

  3. Toby
    3

    ha!

    @Ox “What motive does he have otherwise to write such a thing. It is not
    without persuasion, but what individual could do all of that so simply,
    and then feel free…”

    I can’t tell if that rant is brilliant satire or the “hacker” responding to himself, but thanks for the laugh.

Comments are closed.