Endpoint
6/10/2015
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

New nation-state campaign with previous ties to Stuxnet spies on security firm's research and anti-cyber spying technologies -- plus participants in Iranian nuclear negotiations and their telecommunications, mobile providers.

A notorious and advanced nation-state cyber espionage group has turned the tables on Kaspersky Lab, a security firm that has closely tracked and studied its movements over the past few years, by quietly infiltrating the company's network to spy on the vendor's latest attack detection technology and its research on advanced attacks.

Kaspersky Lab revealed today that the group behind Duqu -- a cyberspying malware tool first discovered in 2011 and believed to be used for intel-gathering as part of the Stuxnet cyber sabotage attacks on Iran's nuclear facility -- had hacked its way into the company's corporate network in an apparent attempt to gather intelligence on the firm's latest technologies for thwarting attacks by advanced attacks such as Duqu as well Kaspersky's intel on such attacks and groups.

The targeted attack against Kaspersky Lab represents a dramatic shift in the nation-state attack landscape, with a sophisticated attacker successfully going after a security company's technology and research for intel-gathering purposes of its own. This of course is not the first time a nation-state has hacked a security vendor: RSA Security in 2011 and Bit9 in 2013, for example, each were hit by nation-state cyberspies allegedly from China stealing their technologies, but those attacks were stepping-stones to the vendors' high-profile customers, the attackers ultimate targets. This most recent attack, meanwhile, raises fresh concerns about just how security companies can protect their own customers with their technology if that very technology has been exposed to advanced and well-oiled hackers hell-bent on bypassing it.

Symantec, which also has studied the new attacks, says it was not hit by Duqu 2.0. Nor were FireEye and Trend Micro, according to those firms.

"I just want to confirm that unfortunately, we were facing a very serious cyberattack that was found in our corporate network, and the attack was extremely sophisticated," Eugene Kaspersky, CEO of Kaspersky Lab, said in a press conference today. "We have never [seen] anything similar to this attack. This is a new generation of a most likely state-sponsored malware … the attack is very complicated, and it's almost invisible."

He maintained that none of his company's customers nor partners were affected, and that no corporate or financial information was hit -- just its new technology, including Kaspersky's Secure Operating System platform, Kaspersky Fraud Detection, and its Security Network and Anti-API products and services.

"It is stupid to attack a cyber security company. Sooner or later, we'll find out," Kaspersky said today in the press event.

Aside from Kaspersky Lab, Duqu 2.0 has also targeted some 100 victims in Western countries, the Middle East, Russia, and Asia. Some of the targets were involved with the P5+1 meetings and venues associated with the nuclear negotiations with Iran, according to findings by Kaspersky and Symantec.  Among the targets are a telecommunications operator in Europe and one in North Africa, as was a Southeast Asian electronic equipment manufacturer, and machines in the US, UK, Sweden, India, and Hong Kong were found by Symantec to contain a Duqu 2.0 infection.

The telecommunications providers and equipment vendor victims are likely "stepping stones" to the final target, and were exploited for monitoring those individuals' mobile or other communications, according to Symantec.

"To circumvent encryption" to conduct spying, you might want to know the chipset of a mobile carrier, for example, says Vikram Thakur, senior manager of Symantec Security Response.

What sets Duqu 2.0 apart from its predecessor and other attacks is how it hides out: the code runs in the victim computer's memory only, and deletes its tracks on the hard drive. So if a machine is rebooted, the infection is eradicated. Even so, Duqu 2.0 has a remote process for reinfecting a machine if necessary after it's rebooted.

Thakur says the Duqu 2.0 attack on Kaspersky Lab represents a new type of attack by nation-state actors. "I think what we saw with Kaspersky Lab is unprecedented. We have not seen this happen before. We've seen attacks on the security industry -- and at Symantec, we face a lot of attack" attempts, he says. "But we don't believe those attacks are driven by nation-states trying to get a grip on the research we're doing."

"This raises the bar. The security industry has to look over our own shoulders now," Thakur says. "It's not just cybercriminals chasing us at this point. It's distressing and alarming at the same time that people with such resources are trying to monitor upcoming research and technology, because at the end of the day, we're fighting the good fight and trying to reduce the amount of malware on our own customer base."

Although neither Kaspersky nor Symantec would share their theories on just which nation is behind Duqu, many experts say the more likely culprit is Israel, although attribution can be tricky in the cloak-and-dagger world of nation-state spying.

Eugene Kaspersky said he's sure the attackers were studying and watching his company's work. "I'm pretty sure they were watching … information related to our virus research and technologies in how we find malware, how we process this malware, and which kind of malware is manually processed," he said.

Kaspersky Lab today also published a detailed technical report on Duqu 2.0, which deployed three zero-day exploits, including one patched by Microsoft yesterday (CVE-2015-2360), CVE-2014-6324, and a third still-unknown exploit that hit the first victim at Kaspersky. That third bug remains a mystery: the attackers wiped the victim's browser history and inbox, to hide the initial phishing attack.

"All we can say now is that probably [it] was a highly targeted spear-phishing campaign, containing a link to a malicious website with exploit. We suppose this could be a CVE-2014-4148 exploit that allowed the attackers to jump directly into kernel mode from a Word Document, which was apparently also used by the Duqu attackers last year," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

The second exploit used after the initial attack vector that hit "patient zero" at Kaspersky exploited a bug that lets an unprivileged domain user become a domain administrator. The third was the newly patched CVE-2015-2360, a Windows bug in the kernel mode-driver that manages memory and validates input from users; the flaw lets an attacker install his own programs, view and change or delete data, and create new user accounts with high privileges.

The attack on Kaspersky Lab had been underway for months before it was finally detected early this year while the company was testing a prototype of its anti-APT product. Duqu 2.0, which obtains domain administrator privileges on its victim, spreads via Microsoft Software Installer as a way to hide in plain sight, and flies under the radar with well-masked communications to its command-and-control infrastructure.

"They [Duqu 2.0 attackers] were able to merge their traffic along with common communications" so it would blend in, Thakur says.

The Duqu attackers, who haven't been seen in action by Kaspersky since March 2012, began this latest attack campaign sometime in the fall of 2013.

Nothing 'Critical' Exposed

Kaspersky officials maintain that their intellectual property exposed in the attack doesn't hurt the integrity of their products. There was nothing "critical to the operation of the company's products"  exposed in the attack, Baumgartner says.

But security experts say the attacks are a dangerous precedent for security.

"It's a worrying thing that most likely a state backed group attacked a private company in a different country, or even countries. It is even more worrying that such attacks might also happen to other security companies. This cannot just be harmful to the global computer security, but introduces trust issues," says Boldizsar Bencsath, security expert at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems. "How a single user should select a security product? How security companies should handle these type of events?"

Bencsath, whose team discovered the very first variant of Duqu, says Kaspersky Lab was "brave" to give details of the attack on its own infrastructure. He says his team has found no evidence of Duqu 2.0 infections at its site, and posted a blog on the new variant today.

Kaspersky Lab hasn't seen any ties to the so-called Equation Group -- thought by many in the industry to be the US National Security Agency -- and Duqu 2.0, although there were indications of some ties with Stuxnet.

 "While the two groups, Duqu and Equation, might have cooperated in the past, it seems they are now separate – for instance, one victim of Duqu 2.0 was infected by both the Equation Group and Duqu at the same time, indicating the two entities are different and competing for information from their victims," Kaspersky's Baumgartner says.

Duqu 2.0 is still active, he says, despite being outed. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jarnold985
50%
50%
jarnold985,
User Rank: Apprentice
6/12/2015 | 9:40:11 PM
Pull the Plug
Isn't it time to call a spade a spade and pull the plug on China? If China is so important to our mega billionares, then let them fix China and when it's fixed reconnect them!
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.