So the elevation of privilege patch MS15-061 that Microsoft issued yesterday and labeled as “important” should perhaps be considered “critical” since it was exploited as a zero-day by Duqu 2.0 attackers. Kaspersky Lab reported it to Microsoft and waited for the patch to be released before explaining how it was used against the company.
It takes a lot of guts for Kaspersky to come forward and admit it was a victim of a hack, but it also takes plenty of nerve to disclose nation-state attacks like Duqu, Flame and Gauss, since Duqu attackers link back to Stuxnet. Those same attackers came after Kaspersky with Duqu 2.0.
Eugene Kaspersky said the “sophisticated, very well-planned attack on our networks, most probably carried out by a government-backed group” was a “silly thing to do.” He wrote:
The malware used for this attack is extremely innovative and advanced. For example, it resides in the RAM – the short-term memory of the computer – and tries very hard to avoid making any changes to the hard drive. Its “persistence mechanism” (or rather, its absence) is quite brilliant. Some very serious thinking went into it, and a great many man-hours of some very bright – criminal – minds were spent developing it, meaning millions of dollars were spent on it, too. It’s also likely that the attackers believed it was impossible to detect. Now, I’ve always taken a lot of pride in our people and our technologies, but that pride’s been given a major boost by this news. For it proves one thing: attacking us leads to just one outcome: you get caught – no matter how clever you are. And besides, our initial investigation shows that their catch was not all that impressive.
Although the attackers managed to get access to data related to Kaspersky Lab's “R&D and new technologies” – and maybe that was the spies were after – it didn't disrupt the operations and the Duqu 2.0 attack didn't put Kaspersky's customers and partners at risk, Kaspersky said.
But the bad guy spies were also after finding out about Kaspersky’s investigations, detection methods and analysis capabilities. “Since we’re well known for successfully fighting sophisticated threats, they sought this information to try stay under our radar. No chance,” Kaspersky wrote on the Kaspersky Lab blog. And if spying on their capabilities was what the attackers were after, it’s “accessible under licensing agreements (at least some of them)!”
This attack happened not too long after Kaspersky Lab published extensive research about the “Equation Group” hackers (pdf) at the Kaspersky Security Analyst Summit. Although the company stopped short of accusing the NSA, the evidence surely did seem to point that way. A different state-sponsored group used malware related to Stuxnet to go after Kaspersky.
The malware is impressively scary, although the Kaspersky Lab blog said to the attackers, “People living in glass houses shouldn’t throw stones.”
Governments attacking IT security companies is simply outrageous. We’re supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this ‘community’ paying no respect to laws, professional ethics or common sense.
To me, it’s another clear signal we need globally-accepted rules of the game to curb digital espionage and prevent cyberwarfare. If various murky groups – often government-linked – treat the Internet as a Wild West with no rules and run amok with impunity, it will put the sustainable global progress of information technologies at serious risk. So I’m once again calling on all responsible governments to come together and agree on such rules, and to fight against cybercrime and malware, not sponsor and promote it.
“By targeting Kaspersky Lab, the Duqu attackers have probably taken a huge bet hoping they’d remain undiscovered; and lost,” concludes the Duqu 2.0 (pdf) technical paper. “For a security company, one of the most difficult things is to admit falling victim to a malware attack. At Kaspersky Lab, we strongly believe in transparency, which is why we are publishing the information herein.”
Securelist advised “to check your network for Duqu’s 2.0 presence” as it lists several indicators of compromise, or you can use the open IOC file. Articles detailing Duqu 2.0 are popping up all over the place, but I highly recommend reading the technical paper for yourself. Other Duqu 2.0 victims included a certificate authority in Hungary, companies in the Industrial Control System sector, industrial computers and P5+1 events and venues related to negotiating with Iran over its nuclear program.
Additionally, Symantec discovered Duqu 2.0 attackers have no shortage of targets, having gone after “a European telecoms operator, a North African telecoms operator, and a South East Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India, and Hong Kong.”
“Duqu 2.0 is a fully featured information-stealing tool that is designed to maintain a long term, low profile presence on the target’s network,” Symantec said. “Its creators have likely used it as one of their main tools in multiple intelligence gathering campaigns.”
Yeah, so about that patch Microsoft rated as “important” … you might get on that right away and think of it more along the lines of critical. Don’t be surprised the patch only ranked as “important” to Microsoft; after all, the company only successfully patched Stuxnet in March 2015. Yes Microsoft did release a patch for Stuxnet in 2010, but as HP’s Zero Day Initiative said, “The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”