Incidents

Was DigiNotar’s PKIoverheid CA breached too?

Earlier this week DigiNotar said another audit would be performed and the results of this audit would be made public.

One of the big questions is whether the government CA branch – called DigiNotar PKIoverheid – has also been compromised.

In seeming preparation of these results, the Dutch government has sent out an email to users who’ve been issued a certificate via the DigiNotar PKIoverheid CA. All these companies/services are tied to the government or public services.
Pending the results of this audit the Dutch government is asking PKIoverheid certificate owners to do the following:

– List the PKIoverheid certificates in the organisation.

– List the processes for which these certificates are being used.

– List the consequences in case the PKIoverheid certificates can no longer be trusted.

I think it would be wise at this point for the affected browser makers to start preparing an update which will also denylist DigiNotar’s PKIoverheid CA. Pending the outcome of the audit, of course.

A lot of Dutch government sites and services are going to be affected by the revocation. Clean up is going to be painful.

The Dutch government has used DigiNotar as an intermediary CA in quite a lot of cases. The Dutch government actually has a root CA of their own. It could be leveraged to quickly produce new certificates for affected services.

I hope it’s truly clear now that the Dutch government needs to distance itself from DigiNotar.

Previous blog entries on this matter:
More on DigiNotar and
The bigger issue with the rogue Google SSL cert

Was DigiNotar’s PKIoverheid CA breached too?

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

Subscribe to our weekly e-mails

The hottest research right in your inbox