Incidents

The bigger issue with the rogue Google SSL cert

Today we saw the discovery of another rogue SSL certificate – this time for *.google.com. The certificate itself was issued five weeks ago. This will allow an attacker to sniff the traffic to virtually all of Google’s services even with HTTPS enabled.

Right now, there’s an unconfirmed report this attack is happening in Iran. Frankly, I’m not sure it’s really relevant.

Given the number of companies that sell government equipment that enables them to inject certificates onto the wire, this is not restricted to any particular part of the world. However, those countries without their own CA will always be forced to take the route of compromising a Certificate Authority.

The bigger issue here is the Certificate Authority that got compromised. DigiNotar is a Dutch company which was acquired by Vasco earlier this year. Vasco – which amongst other things delivers services similar to RSA’s SecurID – is a very big player on the financial market. Meanwhile DigiNotar is especially strong with governments.

So the number one question racing through my mind is: How big is the compromise at DigiNotar? Does this transcend the certificate generation process?
Could Vasco itself be impacted?

It’s absolutely critical we become aware of the implications of this attack as quickly as possible. We don’t need a repeat of how the RSA breach was underplayed. That helped no one.

With DigiNotar being a supplier to the Dutch government I fully expect political questions in the Netherlands.

The bigger issue with the rogue Google SSL cert

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox