The same attacker who claimed to have compromised Comodo in March is now claiming responsibility for the attack on DigiNotar, the Dutch certificate authority that issued fraudulent certificates for several hundred domains in he last few weeks, including Google, Yahoo, Mozilla Add-Ons and several intelligence agencies. In the wake of the widening scandal, the Dutch government has performed an audit of the company’s CA business and browser vendors have revoked trust for the certificates DigiNotar issued for the Dutch government’s PKI.
In a message posted to the same Pastebin account used to detail the Comodo attack six months ago,a user by the name of Comodohacker claims to have compromised not just DigiNotar but also four other high-profile CAs, including GlobalSign. The hacker also said that his actions are politically motivated, in retaliation for the Dutch involvement in the Srebrenica massacre in 1995. The hacker said that he attacked DigiNotar on July 11, the anniversary of that massacre.
The Pastebin message from the alleged attacker is troubling in many respects, not the least of which are his claims that he was able to bypass several different kinds of security mechanisms in place at DigiNotar, including a hardware security module. But the most serious claim is his assertion that he has hacked several other CAs and still has the ability to issue himself rogue certificates from them.
“You know, I have access to 4 more so HIGH profile CAs, which I can issue
certs from them too which I will, I won’t name them, I also had access
to StartCom CA, I hacked their server too with so sophisticated methods,
he was lucky by being sitted in front of HSM for signing, I will name
just one more which I still have access: GlobalSign, let me use these
accesses and CAs, later I’ll talk about them too,” Comodohacker said in the Pastebin message, which was posted Sunday.
“I’ll talk technical details of hack later, I don’t have time now… How I
got access to 6 layer network behind internet servers of DigiNotar, how
I found passwords, how I got SYSTEM privilage in fully patched and
up-to-date system, how I bypassed their nCipher NetHSM, their hardware
keys, their RSA certificate manager, their 6th layer internal “CERT
NETWORK” which have no ANY connection to internet, how I got full remote
desktop connection when there was firewalls that blocked all ports
except 80 and 443 and doesn’t allow Reverse or direct VNC connections,
more and more and more.”
The Dutch government said in its statement of results from the audit of DigiNotar that not only has it renounced its own trust in certificates issued by the CA, but it also has taken over operational management of the CA.
“On September 2, the results
of an investigation by Fox-IT have been shared with the government, after which
the government has denounced its trust in the DigiNotar certificates,” the fact sheet says. “The Dutch government has taken over operational management from DigiNotar.”
The report from the Dutch government on its audit also details some of the tactics used in the attack, including the presence of Cain & Abel attack toolkit on one of the compromised servers. The attack appears to have started on June 17 and continued for more than a month, as the attacker continued to sign and issue certificates to himself along the way. The attacker was able to compromise several CA servers and, in addition to installing known attack tools, used custom scripts and tools that were tailored to the specific environment at DigiNotar, the audit report, done by security firm Fox-IT, says.
“A script was found on CA server public 2025. The script was written in a special scripting language only used to develop PKI software. The purpose of the script was to generate signatures by the CA for certificates which have been requested before. The script also contains English language. In the text the hacker left his fingerprint: Janam Fadaye Rahbar. The same text was found in the Comodo hack in March of this year. This breach also resulted in the generation of rogue certificates,” the report says.
The audit found that a total of 531 fraudulent certificates were issued and that the attacker was able to compromise the security of more than two dozen CAs in the DigiNotar infrastructure.