Lesson for CISOs: There’s never enough awareness testing

My inability to multitask has caught up with me again: Busy covering the SC Congress Toronto conference last week, I was unable to give full attention to the innovative attack on Russia-based security vendor Kaspersky Lab. What drew my attention, however, is the common way it was carried out.

Dubbed Duqu 2.0, it’s been described as highly-sophisticated malware that exploited three zero-day vulnerabilities — the last one apparently patched by Microsoft on June 9 — and, after letting an attacker gain administrative domain privileges, spread through the system using MSI (Microsoft Installer) files. Company founder Eugene Kaspersky  told SC Magazine that the malware didn’t create or modify any disk files or system settings and existed almost totally in memory while still achieving persistence.

One company called the attack “state of the art,” and it has been found in other countries, including where nuclear disarmament talks with Iran are taking place.

But the important thing, I think, is that it was spread by an infected email attachment. “It was coming from our sales guys,” Kaspersky told SC Magazine. “Their job is to be in touch with our customers, our partners, so one of them was sent an infected document – there was a zero-day there – that’s it.”

This is another reminder to CISOs that ongoing employee security awareness campaigns have to be the standard today in their armoury of corporate protection weapons.

In a release Kaspersky said the attackers were especially interested in copying details of company products. No source code was changed, but there is a question about whether the attackers will be able leverage what they have gained to weaken Kaspersky products. The company  says whatever the attackers got “is in no way critical to the operation” of its products.

The attack, Kaspersky adds, was carefully planned and carried out by the same group that was behind the infamous 2011 Duqu APT attack.

“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team. “To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”

Among its recommendations to infosec pros, Kaspersky recommends organizations ensure the June 9 Microsoft update patches are installed, that all computers are simultaneously rebooted to ensure the malware doesn’t survive on one machine and that all passwords be changed.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web