Watch Out For Compromised Certificates and Domain Shadowing

Vulnerability

A security researcher with Trend Micro noted in a blog, http://blog.trendmicro.com/trendlabs-security-intelligence/lets-encrypt-now-being-abused-by-malvertisers/ last January that malvertisers were creating subdomains using a technique called “domain shadowing” with the help of the Angler Exploit Kit. Originally, the blog was blaming the free certificates that Let’s Encrypt (https://letsencrypt.org/) was offering with the trend but later conceded that certificate abuse is a problem with many certificate providers.

It has been a goal for quite some time to have all websites use SSL/TLS (https). Having website owners encrypt traffic is very laudable. Unfortunately, some certificates can be compromised. Trend Micro at first was blaming the free issuance of certificates as the reason behind domain shadowing. While there may be some merit in that, it simply is not the case to blame free certificates as the primary reason behind the certificate vulnerability.

History of Certificate Compromises

In 2011, DigiNotar, a Dutch certificate authority, was compromised. It issued a huge amount of fraudulent certificates to bad actors. This led to its demise since nobody could really trust this authority any longer.

Google discovered in September 2015 that Symantec issued google.com certificates to an entity that was not Google. Certificate authority trust was broken in that case as well but as far as anyone could tell the situation was not as dire at the DigiNotar case.

What is Domain Shadowing?

Domain Shadowing is the use of hijacked domain registration accounts to create subdomains. Once a subdomain is created, the Angler Exploit Kit is utilized to redirect visitors to another subdomain that the attacker controls.

What can be done to prevent this issue?

There are a number of ways to prevent this issue from becoming a problem. For the end user, keep software up to date to reduce vulnerabilities. Not much else can be done.

For the website administrators, there is a way of making sure that your site is not exploited by bad actors. It was determined that domain shadowing was successful because many of the administrators don’t actually check domain registration accounts until it is time to renew their accounts. Monitoring domains should be done. There is a website that website administrators should sign up with to monitor for certificate changes and fraudulent certificates. DigiCert’s Certificate Monitoring at https://www.digicert.com/certificate-monitoring/ will help.

Web hosting companies and businesses have additional resources that could mitigate the problem. Blacklisting is a common technique but for domain shadowing, it is not helpful. The Angler Exploit Kit constantly changes the IP addresses, subdomains and the malware itself to stay ahead of signature based antivirus programs. It seems that the best way to prevent this and other types of malware is by using next-generation intrusion prevention systems (NGIPSs). It provides detection using signatures, protocol anomaly detection, behavioral or heuristics and is hardware based.

 

© 2016 Michael Carr

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.