A Comodo Security partner was compromised and attackers issued valid digital certificates for popular Websites that would have potentially allowed them to spoof content and perform man-in-the-middle attacks, Microsoft warned.

The nine fraudulent Web certificates affected seven domains, including Microsoft Live service, Google’s mail system, Yahoo and Skype, Microsoft said in a March 23 security advisory. There are no active attacks at this time, according to Bruce Cowper, group manager of trustworthy computing at Microsoft.

Revoked Certificates Removes The Sting

Comodo has revoked these certificates, and the malicious certificates are listed in Comodo’s current Certificate Revocation List, according to Comodo. No Web browser should be accepting the incorrect certificates at this time, Comodo said.

The perpetrators would have been able to spoof content, perform phishing attacks or perform man-in-the-middle attacks only if they had control of the Domain Name System infrastructure as well, Comodo said.

Comodo said the attack originated from an IP address assigned to an Internet service provider in Iran. One certificate for Yahoo’s login page was tested using a server in Iran, but had already been revoked and was blocked from being used, according to Comodo’s incident report.

The server in question has stopped responding to requests. The IP address and server information may be circumstantial evidence as the attacker could have been attempting to lay a false trail, Comodo said. However, the company also noted that the Iranian government has recently attacked other encrypted methods of communication.

Iranian Government Could Be Implicated

Unlike a typical cyber-criminal, who would have targeted financial organisations, this particular attacker focused on communications infrastructure. The targeted domains would be of “greatest use” to a government attempting surveillance of Internet use by dissidents, especially considering the recent turmoil in North Africa and the Persian Gulf region, Comodo said.

Comodo believes this was likely a state-driven attack. This is the first time Comodo is seeing a “state funded” attack against the authentication infrastructure, said Melih Abdulhayoglu, CEO and chief security architect of Comodo.

The attacker obtained the user name and password of a Comodo trusted partner in Southern Europe who was authorised to perform primary validation of certificate requests, Comodo wrote on its blog. The attacker used the stolen credentials to log in to the Comodo RA (root authority) account, and issued those certificates on March 15, according to the post.

“The attacker was well-prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs [certificate signing requests] for these certificates and submit the orders to our system so that the certificates would be produced and made available to him,” Comodo said.

The attacker was still using the account when the breach was identified and the account suspended, possibly preventing more certificates from being issued, Comodo said. Remediation efforts began “immediately”, and additional audits and controls have been deployed. Comodo has declined to specify details regarding controls that were implemented.

Comodo root keys, intermediate CAs or secure hardware were not compromised, the company said. The attacker created a new user account, which has also been suspended. Comodo is “not yet clear” about the nature of the partner’s data breach other than the fact that the partner’s other online accounts were also compromised, he said.

Users who have enabled Online Certificate Status Protocol on their Web browsers will interactively validate these certificates and block them from being used. Comodo has monitored the OCSP responder traffic and has not detected any attempts to use the certificates after they were revoked, according to the incident report.

The certificates were issued for “Global Trustee” as well as for the following URLs: login.live.com, mail.google.com, google.com, login.skype.com and addons.mozilla.org. There were three certificates issued for login.yahoo.com, as well. Only one of the certificates for Yahoo was seen live on the Internet, according to the incident report. Comodo is not sure if the attackers received all the requested certificates in the first place.

Microsoft has developed a mitigation update, which is available through the Microsoft Download Center and the Windows Update Service. Customers can download the update to help protect against inadvertent use of the fraudulent digital certificates, said Microsoft’s Cowper.