Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

  /     /     /  
Publicated : 22/11/2024   Category : security


Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage


New nation-state campaign with previous ties to Stuxnet spies on security firms research and anti-cyber spying technologies -- plus participants in Iranian nuclear negotiations and their telecommunications, mobile providers.



A notorious and advanced nation-state cyber espionage group has turned the tables on Kaspersky Lab, a security firm that has closely tracked and studied its movements over the past few years, by quietly infiltrating the companys network to spy on the vendors latest attack detection technology and its research on advanced attacks.
Kaspersky Lab revealed today that the group behind Duqu -- a cyberspying malware tool first discovered in 2011 and believed to be used for intel-gathering as part of the Stuxnet cyber sabotage attacks on Irans nuclear facility -- had hacked its way into the companys corporate network in an apparent attempt to gather intelligence on the firms latest technologies for thwarting attacks by advanced attacks such as Duqu as well Kasperskys intel on such attacks and groups.
The targeted attack against Kaspersky Lab represents a dramatic shift in the nation-state attack landscape, with a sophisticated attacker successfully going after a security companys technology and research for intel-gathering purposes of its own. This of course is not the first time a nation-state has hacked a security vendor:
RSA Security in 2011
and
Bit9 in 2013
, for example, each were hit by nation-state cyberspies allegedly from China stealing their technologies, but those attacks were stepping-stones to the vendors high-profile customers, the attackers ultimate targets. This most recent attack, meanwhile, raises fresh concerns about just how security companies can protect their own customers with their technology if that very technology has been exposed to advanced and well-oiled hackers hell-bent on bypassing it.
Symantec, which also has
studied the new attacks
, says it was not hit by Duqu 2.0. Nor were FireEye and Trend Micro, according to those firms.
I just want to confirm that unfortunately, we were facing a very serious cyberattack that was found in our corporate network, and the attack was extremely sophisticated, Eugene Kaspersky, CEO of Kaspersky Lab, said in a press conference today. We have never [seen] anything similar to this attack. This is a new generation of a most likely state-sponsored malware … the attack is very complicated, and its almost invisible.
He maintained that none of his companys customers nor partners were affected, and that no corporate or financial information was hit -- just its new technology, including Kasperskys Secure Operating System platform, Kaspersky Fraud Detection, and its Security Network and Anti-API products and services.
It is stupid to attack a cyber security company. Sooner or later, well find out, Kaspersky said today in the press event.
Aside from Kaspersky Lab, Duqu 2.0 has also targeted some 100 victims in Western countries, the Middle East, Russia, and Asia. Some of the targets were involved with the P5+1 meetings and venues associated with the nuclear negotiations with Iran, according to findings by Kaspersky and Symantec.  Among the targets are a telecommunications operator in Europe and one in North Africa, as was a Southeast Asian electronic equipment manufacturer, and machines in the US, UK, Sweden, India, and Hong Kong were found by Symantec to contain a Duqu 2.0 infection.
The telecommunications providers and equipment vendor victims are likely stepping stones to the final target, and were exploited for monitoring those individuals mobile or other communications, according to Symantec.
To circumvent encryption to conduct spying, you might want to know the chipset of a mobile carrier, for example, says Vikram Thakur, senior manager of Symantec Security Response.
What sets Duqu 2.0 apart from its predecessor and other attacks is how it hides out: the code runs in the victim computers memory only, and deletes its tracks on the hard drive. So if a machine is rebooted, the infection is eradicated. Even so, Duqu 2.0 has a remote process for reinfecting a machine if necessary after its rebooted.
Thakur says the Duqu 2.0 attack on Kaspersky Lab represents a new type of attack by nation-state actors. I think what we saw with Kaspersky Lab is unprecedented. We have not seen this happen before. Weve seen attacks on the security industry -- and at Symantec, we face a lot of attack attempts, he says. But we dont believe those attacks are driven by nation-states trying to get a grip on the research were doing.
This raises the bar. The security industry has to look over our own shoulders now, Thakur says. Its not just cybercriminals chasing us at this point. Its distressing and alarming at the same time that people with such resources are trying to monitor upcoming research and technology, because at the end of the day, were fighting the good fight and trying to reduce the amount of malware on our own customer base.
Although neither Kaspersky nor Symantec would share their theories on just which nation is behind Duqu, many experts say the more likely culprit is Israel, although attribution can be tricky in the cloak-and-dagger world of nation-state spying.
Eugene Kaspersky said hes sure the attackers were studying and watching his companys work. Im pretty sure they were watching … information related to our virus research and technologies in how we find malware, how we process this malware, and which kind of malware is manually processed, he said.
Kaspersky Lab today also published
a detailed technical report on Duqu 2.0
, which deployed three zero-day exploits, including one patched by Microsoft yesterday (
CVE-2015-2360
), 
CVE-2014-6324
, and a third still-unknown exploit that hit the first victim at Kaspersky. That third bug remains a mystery: the attackers wiped the victims browser history and inbox, to hide the initial phishing attack.
All we can say now is that probably [it] was a highly targeted spear-phishing campaign, containing a link to a malicious website with exploit. We suppose this could be a
CVE-2014-4148
exploit that allowed the attackers to jump directly into kernel mode from a Word Document, which was apparently also used by the Duqu attackers last year, says Kurt Baumgartner, principal security researcher at Kaspersky Lab.
The second exploit used after the initial attack vector that hit patient zero at Kaspersky exploited a bug that lets an unprivileged domain user become a domain administrator. The third was the newly patched CVE-2015-2360, a Windows bug in the kernel mode-driver that manages memory and validates input from users; the flaw lets an attacker install his own programs, view and change or delete data, and create new user accounts with high privileges.
The attack on Kaspersky Lab had been underway for months before it was finally detected early this year while the company was testing a prototype of its anti-APT product. Duqu 2.0, which obtains domain administrator privileges on its victim, spreads via Microsoft Software Installer as a way to hide in plain sight, and flies under the radar with well-masked communications to its command-and-control infrastructure.
They [Duqu 2.0 attackers] were able to merge their traffic along with common communications so it would blend in, Thakur says.
The Duqu attackers, who havent been seen in action by Kaspersky
since March 2012
, began this latest attack campaign sometime in the fall of 2013.
Nothing Critical Exposed
Kaspersky officials maintain that their intellectual property exposed in the attack doesnt hurt the integrity of their products. There was nothing critical to the operation of the companys products  exposed in the attack, Baumgartner says.
But security experts say the attacks are a dangerous precedent for security.
Its a worrying thing that most likely a state backed group attacked a private company in a different country, or even countries. It is even more worrying that such attacks might also happen to other security companies. This cannot just be harmful to the global computer security, but introduces trust issues, says Boldizsar Bencsath, security expert at the Budapest University of Technology and Economics  Laboratory of Cryptography and Systems. How a single user should select a security product? How security companies should handle these type of events?
Bencsath, whose team discovered the very first variant of Duqu, says Kaspersky Lab was brave to give details of the attack on its own infrastructure. He says his team has found no evidence of Duqu 2.0 infections at its site, and
posted a blog on the new variant
today.
Kaspersky Lab hasnt seen any ties to the so-called Equation Group -- thought by many in the industry to be the US National Security Agency -- and Duqu 2.0, although there were indications of some ties with Stuxnet.
 While the two groups, Duqu and Equation, might have cooperated in the past, it seems they are now separate – for instance, one victim of Duqu 2.0 was infected by both the Equation Group and Duqu at the same time, indicating the two entities are different and competing for information from their victims, Kasperskys Baumgartner says.
Duqu 2.0 is still active, he says, despite being outed. 

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage