Iranian Hacker Takes Responsibility For Comodo Attack

SSL Google

During the past few days the purported hacker has posted a series of messages online about the attack in broken English. In the messages, the person attempts to end speculation that the attack was state-sponsored, claiming instead it was a solo operation.

According to the messages, the attack targeted GlobalTrust.it and InstantSSL.it. GlobalTrust.it, the person explained, had a DLL file called TrustDLL.dll that is used to send requests to Comodo and retrieve generated certificates.

“I was looking to hack some CAs like Thawte, Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn't enough to gain access to server and sign my CSRs,” the person wrote. “During my search about InstantSSL of Comodo which signs CSRs (certificate signing requests) immediately I found InstantSSL.it which was doing it's job under control of Comodo.

“After a little try, I analyzed their web server and easily (easy for me, so hard for others) I got FULL access on the server, after a little investigation on their server, I found out that TrustDll.dll takes care of signing,” the hacker wrote. “It was coded in C# (ASP.NET). I decompiled the DLL and I found username/password of their GeoTrust and Comodo reseller account.

id
unit-1659132512259
type
Sponsored post

“(The) GeoTrust reseller URL was not working, it was in ADTP.cs,” the hacker continued. “Then I found out their Comodo account works and Comodo URL is active.”

When all was said and done, attacker was able to generate nine SSL certificates for seven domains: www.google.com, mail.google.com, login.yahoo.com, login.skype.com, addons.mozilla, login.live.com and global trustee.

All the certificates were revoked by Comodo after the attack was discovered.

Comodo did not respond to a request Monday for comment. Last week however, Comodo CEO Melih Abdulhayoglu told CRN the attack was likely the work of the Iranian government.

Though the poster confirmed being from Iran, the attacker repeatedly stressed the attack was carried out solo. Some have questioned whether the poster was actually behind the attack, which prompted the poster to release more details. “People imagine that hackers are part of a larger conspiracy, especially when you can’t understand how a single person could have done the hack,” blogged Robert Graham, CEO of Errata Security. “But the reality is that hacking is individualistic. You talk about generalities with your friends, but when it comes time to crack a target, it’s a marathon 20 hour session with just you, a computer, and endless supplies of caffeine.”

News of the attack, which occurred March 15, touched off discussions last week about trust on the Internet. SSL certificates are used to authenticate a Web site to the browser and offer assurance the traffic between the site and the browser is encrypted.

“The one remaining mystery,” blogged Chester Wisniewski, a senior security advisor with Sophos Canada, “is this: If it was a lone hacker making a point, why issue certificates for these specific websites, all related to secure communication methods often used by dissidents to organize protests and share news with the world? His ramblings certainly show his support for Mahmoud Ahmadinejad and the current Iranian regime, but there are no conclusive ties to his government.”