Someone claiming to be the person behind last week’s attack on a registration authority tied to Comodo
has posted an explanation of the methods he supposedly used and the
reasons for the attack. The rambling, disjointed message claims that the
Comodo attack was not the act of an organized, state-sponsored group,
but was instead the work of a lone actor who stumbled upon a way in.
The message, which was posted on Pastebin on Saturday, is signed with the phrase “Janam Fadaye Rahbar.”
“I was looking to hack some CAs like Thawthe, Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn’t enough to gain access to server to sign my CSRs. During my search about InstantSSL of Comodo, I found InstantSSL.it which was doing same thing under control of Comodo. After a little try, easily I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing. It was coded in C#. Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account. GeoTrust reseller URL was not working, it was in ADTP.cs,” the message says. “Then I found out their Comodo account works and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs. I had no idea of APIs and how it works. I wrote a code in C# for signing my CSRs using POST request to APIs, I learned their APIs so FAST and their TrustDLL.DLL was too old and was sending too little parameters, it wasn’t enough for signing a CSR. As I said, I rewrote the code for !AutoApplySSL and ! PickUpSSL APIs, first API returns OrderID of placed Order and second API returns entire signed certificate if you pass OrderID from previous call. I learned all these stuff, re-wrote the code and generated CSR for those sites all in about 10-15 minutes.”
The writer makes a point of saying that he is not part of the Iranian Cyber Army or any other organized crew and disputes the claims by Comodo that the attack was backed by a government agency. He claims that he went into Comodo’s infrastructure through the Italian site of one of its subsidiaries, InstantSSL. That site is down for maintenance right now.
The
alleged attacker also wrote in his message that the attention that the
attack was justified because of the apparent lack of repercussions for
whomever wrote the Stuxnet malware, which he blames on the U.S. and Israel.
“When
USA and Israel write Stuxnet, nobody talks about it, nobody gots
blamed, nothing happened at all, so when I sign certificates nothing
happens, I say that, when I sign certificates nothing should
happen. It’s a simple deal. When USA and Israel could read my emails in Yahoo, Hotmail, Skype,
Gmail, etc. without any simple little problem, when they can spy using
Echelon, I can do anything I can. It’s a simple rule. You do, I do,
that’s all. You stop, I stop,” he wrote.
The message’s author also had a parting shot for Mozilla, Google and Microsoft.
“To microsoft, mozilla and chrome who updated their softwares as soon as instructions came from
CIA. You are my targets too. Why Stuxnet’s Printer vulnerability patched after 2 years? Because it was need in Stuxnet? So you’ll learn sometimes you have to close your eyes on some stuff in internet, you’ll learn… You’ll learn,” he wrote.
