Situation
On 8 July 2014 Google reported it had discovered certificates issued without authorization for the multiple Google-owned domains from the National Informatics Centre (NIC) Certificate Authority (CA). NICCA CA certificates are Intermediate CA certificates issued by the Indian Controller of Certifying Authorities (ICCA). NICCA CA certificates, and as a result NICCA, are trusted in Microsoft Windows and other applications, which makes this is a serious security issue for all enterprises worldwide. There are some reports that other malicious certificates were issued to fraudulently represent Yahoo and other organization. It is not clear whether this malicious action was due to fraud, breach, or complicity from the Indian authorities.
Threat
No information is available on the actors who requested or maliciously issued these certificates but their intent should be assumed to be malicious. Certificates issued for a domain would allow for spoofing of websites, encrypted communications to be disclosed, and information to be tampered with. With information obtained from the attack, attackers may proceed to steal more data or elevate privileges from credentials gained through operations. Any communication with Google, including Gmail, Google Drive, and other applications, could be compromised for all organizations and individuals worldwide, not just those operating in India. And it appears that other web services that businesses and governments communicate with, including Yahoo, have also been targeted with malicious certificate issuance.
Impact
ICCA, and as a result, NICCA-issued certificates, are trusted by Microsoft Certificate Store, including Internet Explorer and Google Chrome. NICCA CAs may be trusted in other enterprise applications. Therefore, the certificates issued for Google domains (and likely others including at least Yahoo) would be trusted allowing for websites to be spoofed, sensitive information captured, and all traffic decrypted.
Recommended Remediation
Venafi recommends customers use the Venafi Trust Protection Platform to take the following actions:
- Detect NICCA certificates with Venafi TrustAuthority:
- Scan for any certificates on their network issued by NICCA
- Evaluate if NICCA CA certificates are trusted by enterprise applications
- Report and escalate any NICCA CA certificates and issued certificates
- Remediate with Venafi TrustForce
- Remove all NICCA CA certificates using certificate whitelisting
- Review CA Compromise Plan
- NIST Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance, co-developed with Venafi, is a good resource for security teams to help build their programs
Please contact Venafi support with any questions or help with remediation.