[cryptography] 512-bit certs used in attack
pgut001 at cs.auckland.ac.nz
Mon Nov 28 06:13:55 EST 2011
Marsh Ray <marsh at extendedsubset.com> writes:
>On 11/27/2011 09:57 PM, Peter Gutmann wrote:
>> Unfortunately this doesn't explain how they go the 1024-bit and
>> longer keys that were also used in the attack.
>Is that true? I haven't seen this reported. Link?
Off-list :-). Oh, wait a minute, there's at least an indirect reference on a
public page at http://www.f-secure.com/weblog/archives/00002269.html:
The malware downloads additional malicious components from a server called
worldnewsmagazines.org. Some of those components are also signed, although
this time by an entity called www.esupplychain.com.tw.
Those were again 512-bit certs though, in fact the Fox-IT article is rather
confusing in this regard, it lists the following:
* lfxsys.lfx.com.my (Digicert Sdn. Bhd.)
* webmail.jaring.my (Digicert Sdn. Bhd.)
* mcrs2.digicert.com.my (Digicert Sdn. Bhd.)
* ad-idmapp.cityofbristol.ac.uk (Cybertrust)
* stfmail.ccn.ac.uk (Cybertrust)
* skillsforge.londonmet.ac.uk (Cybertrust)
* agreement.syniverse.com (GlobalSign Inc)
* www.esupplychain.com.tw (TAIWAN-CA.COM Inc.)
* ahi.anthem.com (Anthem Inc)
as "certificates we found to be used in the wild recently" (presumably as part
of the attack), but only three of the nine are from Digicert. Since Digicert
was cross-certified by a key formerly belonging to GTE Cybertrust I could see
the "Cybertrust" listed above as possibly being more DigiCert (but why would
the UK government be buying certs from them?), but if that list is of 512-bit
certs then it also means that GlobalSign (major public CA), as well as two
others, Taiwan-CA (lesser-known public CA... hey, were you aware that your
browser implicitly trusts these guys?) and Anthem (unknown, presumably one of
the vast number of sub-CAs that no-one knows exist), were also issuing 512-bit
certs used to sign malware. I wonder when we'll see Cybertrust and GlobalSign
and Taiwan-CA get their CA certs pulled?
The Fox-IT article then goes on to say "we can find two certificates in there
which we know that have been abused"... what happened to the nine certs above?
>Possibly this is built on some assumptions, but its seems to be the simplest
>explanation for the data. I.e., how many ways are there for an attacker with
>the goal of stealing certs to use in an attack and end up getting caught with
>nine 512 bit ones?
I agree that that makes it a bit unlikely, although "hosted in the same data
centre/vhosted on the same server" would be one easy explanation (the Jaring
webmail and Digicert servers are on the same AS, indicating they're
potentially in the same data centre, but then the other one isn't). There's
also the Fox-IT comment for one of the certs, "why would the attackers go
through great lengths of factoring the RSA key and using it to sign their
executables, if it did not pass verification?". Having said that, if the
above is indeed accurate (and that depends on how you interpret the info in
the Fox-IT article), that a number of different CAs all issued 512-bit certs
and they were all compromised, then it does look like they were obtained by
factorisation. It's quite an illogical attack vector though, given how easy
it is to get full-strength dedicated code-signing certs the standard way...
I think I'll contact the Fox-IT person who wrote the article for
clarification, it's kinda hard to figure out who was responsible for which
compromised certs and which ones were actually used in the attack. I'll
post any info I get back here.
More information about the cryptography