Microsoft has been immediately started the procedure to update its Certificate Trust list (CTL) and all versions of its OSs to revoke the certificate. Microsoft has also decided to revoke other two certificates for the same reason, it seems that some attacks using the first certificate have been already detected, fraudulent digital certificate that was mistakenly issued by a domain registrar run by a Turkish domain registrar.
Microsoft has issued a security advisory "Microsoft Security Advisory (2798897) -Fraudulent Digital Certificates Could Allow Spoofing" that states:
"Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.
To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue."
It's still unknown which is the real target of attack neither their geographic distribution, Microsoft advisory refers the domain kktcmerkezbankasi.org a web site that present itself as the Central Bank of the Turkish Republic of Northern Cyprus (TRNC).
Google On-Line Security Blog published a blog post that reported that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the "*.google.com" domain.
The post states:
"We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.
In response, we updated Chrome's certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates."
In a blog post published a In 2011 I explained which is the usefulness to steal a CA certificate:
- Malware production - Installation for certain types of software could needs that its code is digitally signed with a trusted certificate. By stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.
- Economic Frauds - digital signature give a warranty on who signed a document and you can decide if you trust the person or company who signed the file and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer of an identity theft, let's imagine which could be the implication. Some bot, like happened for the banking with Zeus malware, could be deployed to steal steal site certificates so that they can fool web browsers into thinking that a phishing site is a legitimate bank web site.
- Cyber warfare - Criminals or governments could use the stolen certificates to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered and intercepted. That is for example what occurred in the DigiNota case … companies like Facebook, Google and also agencies like CIA, MI6 were targeted in Dutch government certificate hack.
The security repercussions are very critical, any attacker with the possibility to sign using a certificate of a CA can sign certificates for any domain. In the past we have already observed similar incidents, such as the case of Diginotar CA, learning how much dangerous is the impairment of a CA.
Who will be next?