TPG Community

Get online support

MITM Attack - Possibly TPG network?

nick_h
Level 2

Hello,

 

I have experienced what I presume to be an attempted MITM attack while visiting an CDNS (Cloudflare) server.

 

This incident occurred while browsing a website using TPG internet (tethered mobile to what I believe to be a secure linux machine). I believe there is a possibility that this occurred somewhere upstream from my device, possibly in the TPG network.

 

I have attached a photo of the self-signed (fraudulent) certificate, for a HTTPS request made at approximately 2021-01-25 1514 AET.

 

I would greatly appreciate talking to somone from the technical team who has capacity to look into this. PM if necessary.

 

Thank you,

Nick

2 REPLIES 2
david64
Level 15

Hi nick_h. How did you get to the URL in the photo?

www.cloudflare.com uses a certificate from Baltimore CyberTrust Root as Certification Authority.

The one in your photo is suspicious because it expires 270 years from now.    Chrome rejects it because it's not in the certificate store.    What was the error screen from Chrome?

You could try accessing cloudflare from your mobile phone using mobile data.

Check the DNS addresses in the wifi router. You could try different DNS, eg. Google or Microsoft.

nick_h
Level 2

Hello David,

 

That URL was through a web app request (mine), the error was reported in Chrome, and I agree, it is suspicious.

 

I viewed the same link from my phone as well, and encountered the same problem, indicating an upstream issue. Hence my concern that it was an issue within the TPG network. 

 

After a minute or two, and retrying again on phone and desktop, the correct cert was presented, and the issue was not able to be reproduced.

 

I suspect an upstream malware incident because I do not operate any Windows OS, and there are other cases of this cert being used in malware: https://www.hybrid-analysis.com/sample/554e7460fa29794669dbcce6a937cb61eac0ad4503abbaa5d797da2b9cf13...

 

Nick