Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/10/2015
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

New nation-state campaign with previous ties to Stuxnet spies on security firm's research and anti-cyber spying technologies -- plus participants in Iranian nuclear negotiations and their telecommunications, mobile providers.

A notorious and advanced nation-state cyber espionage group has turned the tables on Kaspersky Lab, a security firm that has closely tracked and studied its movements over the past few years, by quietly infiltrating the company's network to spy on the vendor's latest attack detection technology and its research on advanced attacks.

Kaspersky Lab revealed today that the group behind Duqu -- a cyberspying malware tool first discovered in 2011 and believed to be used for intel-gathering as part of the Stuxnet cyber sabotage attacks on Iran's nuclear facility -- had hacked its way into the company's corporate network in an apparent attempt to gather intelligence on the firm's latest technologies for thwarting attacks by advanced attacks such as Duqu as well Kaspersky's intel on such attacks and groups.

The targeted attack against Kaspersky Lab represents a dramatic shift in the nation-state attack landscape, with a sophisticated attacker successfully going after a security company's technology and research for intel-gathering purposes of its own. This of course is not the first time a nation-state has hacked a security vendor: RSA Security in 2011 and Bit9 in 2013, for example, each were hit by nation-state cyberspies allegedly from China stealing their technologies, but those attacks were stepping-stones to the vendors' high-profile customers, the attackers ultimate targets. This most recent attack, meanwhile, raises fresh concerns about just how security companies can protect their own customers with their technology if that very technology has been exposed to advanced and well-oiled hackers hell-bent on bypassing it.

Symantec, which also has studied the new attacks, says it was not hit by Duqu 2.0. Nor were FireEye and Trend Micro, according to those firms.

"I just want to confirm that unfortunately, we were facing a very serious cyberattack that was found in our corporate network, and the attack was extremely sophisticated," Eugene Kaspersky, CEO of Kaspersky Lab, said in a press conference today. "We have never [seen] anything similar to this attack. This is a new generation of a most likely state-sponsored malware … the attack is very complicated, and it's almost invisible."

He maintained that none of his company's customers nor partners were affected, and that no corporate or financial information was hit -- just its new technology, including Kaspersky's Secure Operating System platform, Kaspersky Fraud Detection, and its Security Network and Anti-API products and services.

"It is stupid to attack a cyber security company. Sooner or later, we'll find out," Kaspersky said today in the press event.

Aside from Kaspersky Lab, Duqu 2.0 has also targeted some 100 victims in Western countries, the Middle East, Russia, and Asia. Some of the targets were involved with the P5+1 meetings and venues associated with the nuclear negotiations with Iran, according to findings by Kaspersky and Symantec.  Among the targets are a telecommunications operator in Europe and one in North Africa, as was a Southeast Asian electronic equipment manufacturer, and machines in the US, UK, Sweden, India, and Hong Kong were found by Symantec to contain a Duqu 2.0 infection.

The telecommunications providers and equipment vendor victims are likely "stepping stones" to the final target, and were exploited for monitoring those individuals' mobile or other communications, according to Symantec.

"To circumvent encryption" to conduct spying, you might want to know the chipset of a mobile carrier, for example, says Vikram Thakur, senior manager of Symantec Security Response.

What sets Duqu 2.0 apart from its predecessor and other attacks is how it hides out: the code runs in the victim computer's memory only, and deletes its tracks on the hard drive. So if a machine is rebooted, the infection is eradicated. Even so, Duqu 2.0 has a remote process for reinfecting a machine if necessary after it's rebooted.

Thakur says the Duqu 2.0 attack on Kaspersky Lab represents a new type of attack by nation-state actors. "I think what we saw with Kaspersky Lab is unprecedented. We have not seen this happen before. We've seen attacks on the security industry -- and at Symantec, we face a lot of attack" attempts, he says. "But we don't believe those attacks are driven by nation-states trying to get a grip on the research we're doing."

"This raises the bar. The security industry has to look over our own shoulders now," Thakur says. "It's not just cybercriminals chasing us at this point. It's distressing and alarming at the same time that people with such resources are trying to monitor upcoming research and technology, because at the end of the day, we're fighting the good fight and trying to reduce the amount of malware on our own customer base."

Although neither Kaspersky nor Symantec would share their theories on just which nation is behind Duqu, many experts say the more likely culprit is Israel, although attribution can be tricky in the cloak-and-dagger world of nation-state spying.

Eugene Kaspersky said he's sure the attackers were studying and watching his company's work. "I'm pretty sure they were watching … information related to our virus research and technologies in how we find malware, how we process this malware, and which kind of malware is manually processed," he said.

Kaspersky Lab today also published a detailed technical report on Duqu 2.0, which deployed three zero-day exploits, including one patched by Microsoft yesterday (CVE-2015-2360), CVE-2014-6324, and a third still-unknown exploit that hit the first victim at Kaspersky. That third bug remains a mystery: the attackers wiped the victim's browser history and inbox, to hide the initial phishing attack.

"All we can say now is that probably [it] was a highly targeted spear-phishing campaign, containing a link to a malicious website with exploit. We suppose this could be a CVE-2014-4148 exploit that allowed the attackers to jump directly into kernel mode from a Word Document, which was apparently also used by the Duqu attackers last year," says Kurt Baumgartner, principal security researcher at Kaspersky Lab.

The second exploit used after the initial attack vector that hit "patient zero" at Kaspersky exploited a bug that lets an unprivileged domain user become a domain administrator. The third was the newly patched CVE-2015-2360, a Windows bug in the kernel mode-driver that manages memory and validates input from users; the flaw lets an attacker install his own programs, view and change or delete data, and create new user accounts with high privileges.

The attack on Kaspersky Lab had been underway for months before it was finally detected early this year while the company was testing a prototype of its anti-APT product. Duqu 2.0, which obtains domain administrator privileges on its victim, spreads via Microsoft Software Installer as a way to hide in plain sight, and flies under the radar with well-masked communications to its command-and-control infrastructure.

"They [Duqu 2.0 attackers] were able to merge their traffic along with common communications" so it would blend in, Thakur says.

The Duqu attackers, who haven't been seen in action by Kaspersky since March 2012, began this latest attack campaign sometime in the fall of 2013.

Nothing 'Critical' Exposed

Kaspersky officials maintain that their intellectual property exposed in the attack doesn't hurt the integrity of their products. There was nothing "critical to the operation of the company's products"  exposed in the attack, Baumgartner says.

But security experts say the attacks are a dangerous precedent for security.

"It's a worrying thing that most likely a state backed group attacked a private company in a different country, or even countries. It is even more worrying that such attacks might also happen to other security companies. This cannot just be harmful to the global computer security, but introduces trust issues," says Boldizsar Bencsath, security expert at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems. "How a single user should select a security product? How security companies should handle these type of events?"

Bencsath, whose team discovered the very first variant of Duqu, says Kaspersky Lab was "brave" to give details of the attack on its own infrastructure. He says his team has found no evidence of Duqu 2.0 infections at its site, and posted a blog on the new variant today.

Kaspersky Lab hasn't seen any ties to the so-called Equation Group -- thought by many in the industry to be the US National Security Agency -- and Duqu 2.0, although there were indications of some ties with Stuxnet.

 "While the two groups, Duqu and Equation, might have cooperated in the past, it seems they are now separate – for instance, one victim of Duqu 2.0 was infected by both the Equation Group and Duqu at the same time, indicating the two entities are different and competing for information from their victims," Kaspersky's Baumgartner says.

Duqu 2.0 is still active, he says, despite being outed. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jarnold985
50%
50%
jarnold985,
User Rank: Apprentice
6/12/2015 | 9:40:11 PM
Pull the Plug
Isn't it time to call a spade a spade and pull the plug on China? If China is so important to our mega billionares, then let them fix China and when it's fixed reconnect them!
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...