My inability to multitask has caught up with me again: Busy covering the SC Congress Toronto conference last week, I was unable to give full attention to the innovative attack on Russia-based security vendor Kaspersky Lab. What drew my attention, however, is the common way it was carried out.
Dubbed Duqu 2.0, it’s been described as highly-sophisticated malware that exploited three zero-day vulnerabilities — the last one apparently patched by Microsoft on June 9 — and, after letting an attacker gain administrative domain privileges, spread through the system using MSI (Microsoft Installer) files. Company founder Eugene Kaspersky told SC Magazine that the malware didn’t create or modify any disk files or system settings and existed almost totally in memory while still achieving persistence.
One company called the attack “state of the art,” and it has been found in other countries, including where nuclear disarmament talks with Iran are taking place.
But the important thing, I think, is that it was spread by an infected email attachment. “It was coming from our sales guys,” Kaspersky told SC Magazine. “Their job is to be in touch with our customers, our partners, so one of them was sent an infected document – there was a zero-day there – that’s it.”
This is another reminder to CISOs that ongoing employee security awareness campaigns have to be the standard today in their armoury of corporate protection weapons.
In a release Kaspersky said the attackers were especially interested in copying details of company products. No source code was changed, but there is a question about whether the attackers will be able leverage what they have gained to weaken Kaspersky products. The company says whatever the attackers got “is in no way critical to the operation” of its products.
The attack, Kaspersky adds, was carefully planned and carried out by the same group that was behind the infamous 2011 Duqu APT attack.
“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high,” said Costin Raiu, director of Kaspersky Lab’s global research and analysis team. “To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”
Among its recommendations to infosec pros, Kaspersky recommends organizations ensure the June 9 Microsoft update patches are installed, that all computers are simultaneously rebooted to ensure the malware doesn’t survive on one machine and that all passwords be changed.