One year after DigiNotar breach, Fox-IT details extent of compromise
The hacker gained admin access to all critical DigiNotar certificate authority systems despite network segmentation, investigators say
The 2011 security breach at Dutch certificate authority (CA) DigiNotar resulted in an extensive compromise and was facilitated in part by shortcomings in the company's network segmentation and firewall configuration, according to Fox-IT, the security company contracted by the Dutch government to investigate the incident.
"The DigiNotar network was divided into 24 different internal network segments," Fox-IT said in its final investigation report, published earlier this week by the Dutch Ministry of Interior and Kingdom Relations. "An internal and external Demilitarized Zone (DMZ) separated most segments of the internal network from the Internet. The zones were not strictly described or enforced and the firewall contained many rules that specified exceptions for network traffic between the various segments."
The DigiNotar security breach occurred in July 2011 and resulted in a hacker using the company's certificate authority (CA) infrastructure to issue hundreds of rogue digital certificates for high-profile domains, including one for google.com that was later used in a mass surveillance attack against Internet users in Iran. After the incident became public, browser and operating system developers revoked their trust in the certificates and the company filed for bankruptcy.
The breach was significant because it raised questions about the security and trustworthiness of the public key infrastructure (PKI) in its current form, which led to various technical proposals that promise to reduce the impact of certificate authority compromises and prevent the use of rogue digital certificates. There are currently hundreds of certificate authorities trusted by default in Web browsers and operating systems, and all of them can issue valid digital certificates for any domain on the Internet.
The attacker's original points of entry into the DigiNotar network were two Web servers that hosted public websites running on outdated and vulnerable versions of DotNetNuke, a Web content management system. These Web servers were located in the company's external Demilitarized Zone.
The intruder then leveraged the existent firewall rules to access and compromise servers from different network segments -- first from a segment called Office-net and then from a segment called Secure-net, which housed the certificate authority servers used for digital certificate issuing.
"Specialized tools were recovered on systems in these segments, which were used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar's systems that were not directly connected to the Internet," Fox-IT said. "The intruder was able to tunnel Remote Desktop Protocol connections in this way, which provided a graphical user interface on the compromised systems, including the compromised CA servers."
DigiNotar operated multiple subordinate certificate authorities (sub CAs) and used them to issue digital certificates for different purposes, including certificates for the Dutch government's IT operations.
Fox-IT reiterated the conclusion expressed in its interim report released in September 2011: that all of DigiNotar's CA servers had been compromised. This was the result of the fact that all servers were on the same Windows domain and the attacker managed to obtain the domain administrator credentials, possibly through "brute force" methods because the password was not very strong, the company said in the interim report.
"The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had been compromised by the intruder," Fox-IT said in its final report released Monday. "The log files were generally stored on the same servers that had been compromised and evidence was found that they had been tampered with."
Because some of the logs had been deleted the company couldn't determine which of the compromised CA servers were actually used to issue rogue certificates. However, some evidence suggests that more rogue certificates than previously believed were issued by the hacker.
"Serial numbers for certificates that did not match the official records of DigiNotar were recovered on multiple CA servers, including the Qualified-CA server which was used to issue both accredited qualified and government certificates, indicating that these servers may have been used to issue additional and currently unknown rogue certificates," the company said.
Having access to a CA server wouldn't have been sufficient for the hacker to issue digital certificates, because this process required an operator to insert a smartcard in order to activate the corresponding private key, which was stored in a hardware security module.
"The unauthorized actions that might have taken place could not have included the issuing of rogue certificates if the corresponding private key had not been active during the intrusion period," Fox-IT said. "No records could be provided by DigiNotar regarding if and when smartcards were used to activate private keys, except that the smartcard for the Certificate Authorities managed on the CCV-CA server, which is used to issue certificates used for electronic payment in the retail business, had reportedly been in a vault for the entire intrusion period."
However, the company found evidence that Certificate Revocation Lists (CRL) -- lists of revoked digital certificates -- were automatically issued by some CA servers during the intrusion period. These lists need to be signed, which suggests that the private keys were active and the attacker had the opportunity to abuse them.
All information discovered during the investigation about the attacker, like the IP addresses he used -- some of them corresponding to proxy servers -- were handed over to the Dutch police. The evidence suggests that the hacker was located in Iran and a signature left in a text file points to him being the same attacker who compromised the Comodo certificate authority in March 2011.
Even though there are still some unanswered questions about the steps taken by the hacker once inside the DigiNotar network, some lessons can be learned from this incident, Fox-IT said.
First, it's important to complement prevention measures with detection measures, the company said. "Detection can prevent that critical parts of the infrastructure can be targeted, even in the case of a breach of a specific segment."
Separating the tasks performed by the IT staff is also important. For example, system administrators should not be in charge of setting up and maintaining firewalls or other security components of the infrastructure because they may be inclined to provide a pleasant working environment for users that would conflict with the task of limiting interaction between network segments, Fox-IT said.
Other recommendations enumerated by the company in its report include: separating vital systems as much as possible from untrusted network segments or the Internet; updating all software products on all systems as often as possible; limiting the amount of services that run on systems used for critical processes; hardening all systems by changing the default settings; performing regular penetration tests with different teams; and making sure that systems or networks are monitored and the appropriate employees are notified of any anomalies.