In 2020, SecurityScorecard uncovered a case in which self-signed certificates caused misattributions for CDN IPs, and IPs shared by many websites. At the time, we mitigated this issue by labeling CDNs (e.g. Cloudflare, Akamai, Fastly, etc.), so that customers could easily determine if their scoring problems were related to shared IPs. However, hCaptcha – a leader in bot mitigation and fraud detection – has brought to our attention that the correct attribution process we implemented is being abused and directly impacted their score. This issue could result in significant disruptions to other SecurityScorecard customers, vendors, or prospects.
Currently, SecurityScorecard attributes IP addresses of self-signed certificates that are observed twice over a 60 day period. Once the issue was flagged by hCaptcha in December of 2021, we took a closer look at their claim. Upon inspection, we uncovered that a self-signed certificate was attributed to hCaptcha associating the organization with the disputed IP. In this case, we adhered to our internal processes and attributed 18.104.22.168 to hCaptcha.
By the close of the year, hCaptcha refuted a number of issues on 22.214.171.124 and left a public comment on their Scorecard reiterating that 126.96.36.199 was not theirs, despite the existence of the self-signed certificate. Upon review, the hCaptcha SOC team linked this host to an unsuccessful APT attack sequence on a hCaptcha Enterprise customer. The SecurityScorecard Global Investigations team then dug into this IP and found that as of March 1, 2022, there were numerous malicious connections to Darknet scanning activity (Source: Greynoise), as well as malware hashes dropped from the IP (Source: VirusTotal + SecurityScorecard Threat Intelligence), and hosting with known Russian ISP (selectel.ru), which has hosted many threat actors, including the latest attacks against Ukraine by Russia’s Crimean-based FSB (i.e. the APT group known as Gameradon) attached to the disputed domain. Additionally, the certificate information shown in SecurityScorecard’s platform indicated certificates with common names such as “Popov” and the use of intentionally (non-default) vulnerable ciphers and hash functions (3DES, RC4, and MD5): https://attacksurface.securityscorecard.io/#/detail/188.8.131.52 (for access to A.S.I., please speak with your SecurityScorecard Account Manager or contact us).
Enrichment of 184.108.40.206 Linking to Known Malicious Activity
In situations like this, SecurityScorecard asserts that self-signed certificates can be generated for any domain for one of the reasons enumerated below:
Externally (malicious, and could impact score)
Upon further review, we believe 3) to be the case for 220.127.116.11 based on the threat data SecurityScorecard has aggregated from this domain – connected to honeypots, scanning, and malicious activity. We believe that this loophole could eventually be exploited at-scale by threat actors, resulting in negative scoring outcomes for the targeted companies.
Previously, we took steps to label host-based measurements as informational within the scorecard to alleviate this issue. At the time, the attack vector detected by hCaptcha, the targeting an IP-based attribution system, extending beyond WHOIS and using SSL/TLS certificates and other information (as SecurityScorecard or any other VRM platform may), was unknown to the community and to SecurityScorecard. Essentially, the vector is present due to the sophisticated, advanced nature of our system. We can accurately detect that IP 18.104.22.168, while registered with AT&T, is actually controlled by johndoe.com. However, more complex attribution has resulted in fringe cases in which perceived normal Internet behavior (registering a certificate to a domain) has affected systems that process such information as a last-resort ground truth for IP attribution (as we do, if nothing else is available).
We are currently analyzing the scope of this behavior (1-3 above) and are actively gathering scorecards that possess significant anomalies on IP addresses that were attributed via self-signed certificates. Through this research, we will determine if all findings attributed in this manner should be updated as “informational” within our scorecards.
In the immediate term, we have already removed all findings and attribution of 22.214.171.124 to hCaptcha. This caused their revised score to increase from 60 to 100, one of the highest scores seen for any major online service.
Our Next Steps
In the interest of bucketing self-signed certificate attributed IP-based issues, we are currently taking the following steps:
Accelerating data flow of SSL-generated scans for IPs with SNI info into production immediately.
Evaluating and generating an analysis of ALL scored issues on the platform tied to a scorecard domain that is derived from an IP address that is attributed to the said scorecard domain based on a self-signed certificate.
Moving forward, we believe that we can enhance the product and deliver more value to customers by labeling such findings as informational on the scorecard (i.e. not impacting the organization’s score) so that customers can investigate whether the certificate was generated intentionally or maliciously (e.g. to sabotage the scorecard, their vendors, or their customers).
As we continue to investigate this issue, we will keep the community abreast of any new developments including the scale and scope of these malicious misattributions. Furthermore, steps will be taken to mitigate the impact of any malicious self-signed certificate-related issues on affected scorecards.
Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.
hCaptcha offers unparalleled, machine learning-powered fraud detection solutions to protect online properties from sophisticated, automated attacks. Unlike other solutions, hCaptcha maintains broad privacy and security compliance for its customers and their end-users while leveraging a rapidly deployable, modern, and scalable architecture to deliver security with minimal friction.
For more information, please visit: https://www.hcaptcha.com/enterprise