Unauthorized root access - stolen certificates

Hello, I'm having a bit of a security issue.

I have two different virtual servers that have different IP and they are "physically" different machines with nothing in common.

I have two domains:
mydomain.org
subdomain.mydomain.org

In my DNS the subdomain points to other server while the main domain points to the other.

The issue: Someone who should not have root access to the subdomain -server, had root access. Let's say I can't be sure if any data was stolen, but let's assume they took all the certificates and anything there was.

What should I do? Is there anything to be done with the certificates? Let's assume following is done:

  • subdomain.mydomain.org is completely removed from DNS
  • the physical machine is completely wiped from existence.
  • The attacker never got access to the mydomain.org machine

Can they still do something? Do I need to (or can I) somehow revoke the subdomain.mydomain.org certificate? The subdomain does not exist any more, nor does the machine where it was hosted.

1 Like

If you can demonstrate control over the subdomain, you can request revoking the current cert for it.

Better, would be if you still had the private key (in a backup or whatever) of the cert, and then you could revoke for reason "keyCompromise", which ensures that that key can't be used again.

There's some information in the documentation:

Well, that's the question. All someone could generally do with the certificate would be to impersonate the server, which would require the attacker to convince the victim to visit their server while thinking it was your server (by spoofing DNS, or being in the network path, or having malware on the machine, or whatever). It's possible with some old cipher suites that if the attacker had been able to monitor old encrypted traffic, that the attacker could decrypt it, but most modern systems don't allow that to happen.

Though if an attacker had root access to the server directly, they could monitor and edit the traffic from that end of things anyway.

3 Likes

Just adding to Peter's nice comment is that you need to revoke the certificate to comply with Let's Encrypt Subscriber Agreement. From the page he linked:

Still, revoking certificates that correspond to compromised private keys is an important practice, and is required by Let’s Encrypt’s Subscriber Agreement.

4 Likes

Thank you. I've followed instructions provided and revoked the certificate.

2 Likes

If you don't have one already, now is a good time to start developing a post-intrusion plan for security breaches. If you do have one, be sure to update it with a LetsEncrypt section.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.