430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chinese CA issued bogus digital certificates for Google domains

Google security team has recently discovered and blocked fraudulent digital certificates issued for several Google domains by a Chinese CA. On March 20, Google security team has discovered and blocked fraudulent digital certificates issued for several Google domains. The investigation revealed that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the bogus […]

Chinese CA issued bogus digital certificates for Google domains

Google security team has recently discovered and blocked fraudulent digital certificates issued for several Google domains by a Chinese CA.

On March 20, Google security team has discovered and blocked fraudulent digital certificates issued for several Google domains. The investigation revealed that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the bogus Google digital certificates. The circumstance is worrying because the MCS Holdings could have issued digital certificates for virtually any domain of the company.

Google issued an update for the revocation list included in the Chrome browser in order to revoke the fraudulent certificate, meantime it has also alerted other browser vendors to the security issue. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered.

Google promptly reported the issued to the CNNIC,  the Chinese registrar that authorized the intermediate CA, that confirmed MCS issues certificates for domains that it registered. It seems that the private key was installed on man-in-the-middle proxy, a network equipment used to eavesdrop secure connections by impersonating the intended destination for surveillance purpose.

“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” wrote Adam Langley from Google in a blog post.

Langley highlighted the risks related to such kind of operation, the problem is that the CNNIC authority is trusted by all of the major browsers exposing users to serious risks.

“The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system.” wrote Langley “CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist,” 

In December 2013 a similar incident occurred, security experts at Google discovered the unauthorized use of digital certificates issued by an intermediate certificate authority linked to ANSSI for several Google domains.

ANSSI is the French CyberSecurity agency that operates with French intelligence agencies, the organization declared that an intermediate CA was generating fake-certificate to conduct MITM attack and inspect SSL traffic. Be aware that an intermediate CA certificate carries the full authority of the CA, attackers can use it to create a certificate for any website they wish to hack.

“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this,” reported Google. 

Google discovered the ongoing MITM attack and blocked it, Google has declared that ANSSI has requested to block an intermediate CA certificate.

Digital Certificates ANSSI

Pierluigi Paganini

(Security Affairs –  MITM,  digital certificate)