Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Microsoft Revokes Fake Yahoo, Google Certificates Issued After India NIC Hack

Microsoft has updated its Certificate Trust List (CTL) to revoke rogue certificates issued following a breach of India’s National Informatics Center (NIC).

Microsoft has updated its Certificate Trust List (CTL) to revoke rogue certificates issued following a breach of India’s National Informatics Center (NIC).

The NIC is a government agency that holds intermediate Certificate Authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

The India CCA’s certificates are included in Microsoft’s Trusted Root Certification Authorities Store, which means they’re trusted by most Windows applications.

Google reported on Tuesday that it had identified unauthorized digital certificates for several of the company’s domains. Following an investigation by the India CCA, it came to light that the NIC’s issuance process was compromised.

While the India CCA found only four fake certificates, three for Google and one for Yahoo domains, Google said that others existed as well, according to an update made on Wednesday to its initial blog post.

This is confirmed by Microsoft, which announced on Thursday that it has revoked improperly issued certificates for over a dozen Google domains and more than two dozen Yahoo domains, including google.com, mail.google.com, gmail.com, login.yahoo.com and mail.yahoo.com.

Microsoft says it’s not aware of any attacks in which the certificates are used, but the CTL has been updated for all supporter versions of Windows as a precaution.

“The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks,” Microsoft said in its advisory.

For its part, Google revoked the intermediate CA certificates held by NIC, but because the full extent of the breach has not been determined, the search engine giant also decided to limit the India CCA root certificate to the domains gov.in, nic.in, ac.in, rbi.org.in, bankofindia.co.in, ncode.in and tcs.co.in.

The changes will be reflected in a future Chrome release.

At the time of writing, the NIC CA is still not issuing certificates. A message posted on the organization’s website informs visitors that operations are not expected to resume any time soon.

While the details of the breach have not been disclosed, according to Google, the first bogus certificate was issued on June 25.

“The use of malicious certificates is another wakeup call for businesses and governments to take action. They cannot trust third party Certificate Authorities (CAs) that their organization now has reason to be trusting. But, browsers, operating systems, enterprise applications, and mobile devices do. Certificate whitelisting makes sure that only those CAs that should be trusted are trusted – all other CAs are removed,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SecurityWeek.

 “Right now, every enterprise should be using certificate whitelisting to make sure the Indian Controller of Certifying Authorities are no longer trusted. Beyond this, enterprises need to be able to respond quickly and remediate. Next time it may be certificates that are issued from a now untrusted CA (as is clearly the case with the Indian CA) or some of their certificates have been compromised and now being missed.”

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

ICS/OT

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...