Fraudulent TURKTRUST Digital Certificat Used In Active Attacks
Google, Microsoft and Mozilla have release alerts regarding active attacks using fraudulent digital certificates issued by TURKTRUST, a Turkish certificate authority and a subsidiary company of Turkish Armed Forces ELELE Foundation Company.
Google alert precise that on 24 December they detected and blocked an unauthorized digital certificate for the “*.google.com” domain. This certificat was issued by an intermediate certificate authority (CA) linked to TURKTRUST. After investigation, in collaboration with TURKTRUST, it appears that an additional intermediate certificate authority was also compromised. Google Chrome certificate revocation list has been updated the 26 December to block these fraudulent intermediate CA.
Microsoft has release an Security Advisory MSA-2798897, who affects all supported releases of Microsoft Windows. Microsoft is updating the Certificate Trust list and provide an update for all supported releases of Microsoft Windows that removes these fraudulent certificates. Systems using Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8 are automatically updated and protected.
The following certificates will be added to the Untrusted Certificates folder:
- Certificate “*.google.com” issued by “*.EGO.GOV.TR” with thumbprint “4d 85 47 b7 f8 64 13 2a 7f 62 d9 b7 5b 06 85 21 f1 0b 68 e3“.
- Certificate “e-islem.kktcmerkezbankasi.org” issued by “TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri“ with thumbprint “f9 2b e5 26 6c c0 5d b2 dc 0d c3 f2 dc 74 e0 2d ef d9 49 cb“.
- Certificate “*.EGO.GOV.TR“ issued by “TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri“ with thumbprint “c6 9f 28 c8 25 13 9e 65 a6 46 c4 34 ac a5 a1 d2 00 29 5d b1“.
Mozilla has release a Security Blog Post and take a different position than Google or Microsoft. The foundation will actively revoke trust for the two fraudulent certificates, but also suspend inclusion of the “TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007” root certificate, pending further review. A new release of Firefox will be released on Tuesday 8th January.
These fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks, so we advise you to update asap.
I recommend you to read these related posts
- Firefox 17.0.1 + Flash Privileged Code Injection Metasploit Demo
- CVE-2011-3658 Firefox 7/8 nsSVGValue Vulnerability Metasploit Demo
- CVE-2011-0065 : Mozilla Firefox mChannel use after free vulnerability Metasploit Demo
- CVE-2005-2265 : Mozilla Suite/Firefox InstallVersion compareTo() Code Execution
- CVE-2011-0073 : Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
- CVE-2010-3765 : Mozilla Firefox Interleaving document.write and appendChild Exploit
- CVE-2011-2371 Mozilla Firefox Array.reduceRight() Integer Overflow Metasploit Demo
- CVE-2006-3677 : Mozilla Suite/Firefox Navigator Object Code Execution
- Mozilla Firefox Bootstrapped Add-on Social Engineering Code Execution Metasploit Demo
- CVE-2011-3659 Firefox 8/9 AttributeChildRemoved() Use-After-Free Metasploit Demo