Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Turkish CA Issues Fraudulent Certificate For Google Domains Used In Active Attacks

Google on Thursday said that late on Christmas Eve, they detected and blocked an unauthorized digital certificate created for the “*.google.com” domain that had been issued by an intermediate certificate authority (CA) which linked back to Turkish certificate authority, TURKTRUST.

Google on Thursday said that late on Christmas Eve, they detected and blocked an unauthorized digital certificate created for the “*.google.com” domain that had been issued by an intermediate certificate authority (CA) which linked back to Turkish certificate authority, TURKTRUST.

Google has since updated Chrome’s certificate revocation metadata to block the intermediate CA, and said they have alerted TURKTRUST and other browser vendors of the issue.

Fraudulent Certificate“TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” Adam Langley, Software Engineer at Google wrote in a blog post on Thursday.

“Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by TURKTRUST, though connections to TURKTRUST-validated HTTPS servers may continue to be allowed,” Langley added.

Microsoft on Thursday also issued a security advisory on the incident and took measures to protect customers, saying they would update the Certificate Trust list (CTL) and provide an update for all supported releases of Microsoft Windows to remove the trust of certificates in question. 

“Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store,” the advisory notes.

Because Intermediate CA certificates have the full authority of the CA, an attacker could use it to create a certificate for any website they want to impersonate.

“The fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties,” Microsoft’s advisory continued.

The issue affects all supported releases of Microsoft Windows.

Advertisement. Scroll to continue reading.

According to Microsoft, TURKTRUST incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org), of which *.EGO.GOV.TR was used to issue a fraudulent digital certificate to google.com.

For mitigation, Microsoft said that for systems using the automatic updater of revoked certificates (including Windows 8, Windows RT, Windows Server 2012), no action is needed by end users, as the systems will be automatically protected.

“For Windows XP and Windows Server 2003 customers or customers who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2798897 update be applied immediately using update management software, by checking for updates using the Microsoft Update service, or by downloading and applying the update manually,” the advisory notes.  

Mozilla is also addressing the issue and said Thursday that was revoking trust for the two certificates.

“We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control,” Michael Coates, Director of Security Assurance at Mozilla wrote in a blog post Thursday. “We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.”

“Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January,” Coates said. “We have also suspended inclusion of the “TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007” root certificate, pending further review.”

Google said that it may also take additional action after looking into the issue further.

“The TURKTRUST situation is further evidence that cyber criminals are using their attacks on certificate authorities (CAs) to perpetrate man-in-the-middle and phishing attacks,” Jeff Hudson, CEO of Venafi told SecurityWeek via email.

“Enterprises need to recognize that certificate-based attacks are no longer hypothetical and have become a preferred attack vector. Every organization needs to be prepare for this inevitable fact of IT security life,” Husdon, who is a regular SecurityWeek columnist, continued. “Recent guidance from NIST provides the clear roadmap for organizations to prepare for an attack on their internal or external CAs and how to respond. These attacks demand a response within minutes, otherwise any enterprise from a bank to retailer to manufacturer is vulnerable to costly breaches and brand damage.”

“The fact that the Intermediate CA certificate used to launch the attack carries the full authority of the CA it is linked to and can be used to impersonate any entity is just another example of how every organization must be prepared,” Hudson added. “CAs must recognize the drastic implications of mistakenly issuing a certificate and there must be steps taken by the industry to prevent such security lapses.”

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture