Duqu 2.0 Hits Kaspersky Lab
securelist.com"By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost."
That seems like a very nice spin on a successful attack that was eventually detected. How long were the attackers able to spy on their internal systems? Perhaps they didn't need ongoing access and simply wished to steal client files or documents.
That was my first thought aswell. One of the main takeaways from this is that Kaspersky Labs was probably compromised. Or at least there was an attempt. And the attacker is related to Stuxnet in some way. At least according to Kaspersky Lab.
>Kaspersky Labs was probably compromised
Relevant quote:
"Company officials were unable to provide Ars with an estimate of how many megabytes or gigabytes of data were extracted from their network, in part because the custom network connections Duqu used may have bypassed normal logging procedures. The company hasn't ruled out the possibility the attackers obtained Kaspersky Lab source code, but there are no signs they tried to compromise any of Kaspersky's 400 million users."
from http://arstechnica.com/security/2015/06/stepson-of-stuxnet-s...
"... or perhaps they don’t care much if they are discovered and exposed"
-- Kaspersky Labs
That's probably a big indication the attackers were making a withdrawal. If they were depositing something into production AV products, they would take super extra care to not be detected.
The geopolitics of this one is fascinating.
Stuxnet was a combined Israeli/US attack on Iran's nuclear capability. Kaspersky is a Russian security company which was started with government support, and is believed to still have connections there. Russia and Iran are allies.
Now look at how it played out. The US and Israel attacked Iran. Kaspersky tracked it down and publicized it to the world. And now some combination of the US, Israel, or close allies launched a spying attack on Kaspersky. Which, for all we know, may actually be an important part of the Russian cybersecurity infrastructure.
For all that organizations like the NSA do wrong (like spying on all of us), this is the kind of thing that we actually wanted them doing when they were created.
> a Russian company started with government support
From what I know this is simply not true. Got a source?
But I think your overall point holds. Kaspersky's 400 million user base includes a boatload of US/Western users, including enterprise and government clients. This simply cannot NOT be of some concern to respective countries, so it's perfectly logical that they would want to keep an eye on the situation.
I thought I had a source, but when I went looking I found tons of interesting connections (eg Kaspersky having gotten started in anti-virus while he was KGB) but no actual proof of involvement.
Given how Russian business works, though, it would seem likely that there is a connection.
But http://www.bloomberg.com/news/articles/2015-03-19/cybersecur... is an article that gives more recent reason for why Kaspersky is a potentially interesting target for Western spies.
>tons of interesting connections
Mind sharing those?
>he was KGB.
A claim unsupported by evidence.
>Given how Russian business works
"Given how I assume Russian business works based at most on anecdotal evidence." FTFY
Anyway I wouldn't bother to reply to your post, if you hadn't had used source that is full of shit, pardon my French. You can check out Kaspersky's blog for rebuttal of this article. Now if you insist on inductive reasoning I can offer you no evidence to the contrary, of course. And no, I don't work for Russian troll agency and am not Russian in any way. I doubt they would bother with ycombinator anyway. In no way this is attack on you of course, but I find these kind of posts severely annoying because of aforementioned reasons.
With your fantasy you can work in tabloids like Wired.
Russia and Iran are allies? US is going to use Iran against Russia to sell Iranian gas and oil to Europe and subdue Russian influence - that's why US decided to fix relations with Iran and come to a deal allowing to finish the sanctions. It's more like competitors than allies.
In recent history, Russia and Iran have indeed been allies. See http://en.wikipedia.org/wiki/Iran%E2%80%93Russia_relations for verification. And the US has repeatedly found itself on the opposite end of geopolitical conflicts with both countries. For a random example, both Iran and Russia have been supportive of Assad's government in Syria, while the US is opposed.
Of course interests shift over time. We are indeed doing things to improve relations with Iran. But that doesn't change the fact that in recent history we've been calling them part of "the axis of evil" and they have been calling us "the great Satan".
I've heard that Iran calls US "great Satan", and Russia "small Satan"
I've heard that Iran calls Israel "small Satan", not Russia.
A quick Google search finds lots of confirmation of that.
Wikipedia mentions both :)
And so it does. I stand corrected. The USSR was indeed called the lesser Satan 35 years ago.
However the link that I provided to http://en.wikipedia.org/wiki/Iran%E2%80%93Russia_relations says that Iran and the USSR had poor relations (due to the whole atheism thing), but Iran and Russia have had good relations since the USSR fell. Do you have a reference to Iran calling Russia any version of Satan in, say, the last 15 years?
Lets better return to the subject.
I agree with your overall conclusion that it's possible the attack was carried out by some special agencies, and that it might be reasonable from their standpoint.
But the chain of causality you draw looks to me as an arbitrary fantasy; or to say better, only one of many possible explanations. It puts together several unverified assumptions - statements which are not 100% true, but only probable to some degree.
The probability of all that happen together is a multiplication of all the probabilities, and therefore a small number.
There is no evidence that Kaspersky Labs work for Russian intelligence. Yes, there were articles where journalists say "oh, he worked in KGB, so we can imagine they still cooperate". The fact we can imagine something doesn't mean it's true. All we can say for sure, Kaspersky Labs maybe work for KGB, or maybe not (including they work for somebody else, why not imagine this).
Does Russia want to support Iranian nuclear program, up to providing cyber security? IMHO unlikely, but again - maybe yes, maybe no.
Even if Russia decided to support Iran, there is no proof Russia employed Kaspersky and not a proper department of intelligence service - maybe Kaspersky detected stuxnet fairly, during their anti-virus research (their primary business, isn't it possible)?
Even that stuxnet is an US intelligence creature is not a 100% fact; there were strong evidence to support that, but we don't know 100%.
0.1 * 0.2 * 0.4 * 0.9 = 0.0072
Put your own number if you find your assumptions more realistic:
Anyway, the combined probability of 0.8 * 0.5 * 0.5 * 0.95 = 0.19P(Kaspersky Labs work for KGB) = 0.8 P(Russia wants so provide cyber security for Iranian nuclear program) = 0.5 P(Kasperky Labs detected stuxnet specifically because of intelligence order, as russian intelligence has no other cybersecurity departments) = 0.5 P(stuxned is developed by US intelligence to attack Iran) = 0.95You are missing the fact that there are other logical routes to the scenario, and some of those assumptions are correlated.
For example instead of Russia wanting to provide cyber security, Russia saw the opportunity to embarrass the US and score brownie points with Iran.
Instead of Kaspersky detected because of intelligence order, Kaspersky detected because they happened to be the ones in a position to do so.
And if Russia wanted to provide cyber security for Iran, then the odds are high that Kaspersky would be a component of that. Not because Russia has no other options, but because it is an obvious component that can be made available.
> You are missing the fact that there are other logical routes to the scenario.
No, you are missing the fact that there are lot of possible explanations outside of the scenario.
Even if the current attack was by US and/or Israel intelligence, penetrating Kaspersky may be useful for them just as it is, to keep eye on Kaspersky anti-virus technologies and find a way to to avoid them. Without any "revenge" for Iran.
Moreover, I've just checked https://en.wikipedia.org/wiki/Stuxnet#History , stuxnet wasn't detected by Kaspersky, it was another company. Also, "The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update". So this whole episode doesn't present Kaspersky as an active enemy of US intelligence.
I doubt very very much Russia wants to help Iran to get nuclear weapons - no country will help another country to get nuclear weapons, even if they can win "brownie points".
The Windows 0-day is CVE-2015-2360 from MS15-061, it appears to be the only one Microsoft admits to have been exploited or used to attack it's customers.
Even if it's the only one they've admitted to, I think it's readily known that Microsoft has numerous zero-days (discovered or not) in their software. Combine that with their prevalence in Enterprise businesses, they're going to be a logical starting point for any top tier blackhat org.
"I think it's readily known that Microsoft has numerous zero-days (discovered or not) in their software."
This is true for every single piece of software ever written. Msft is no different in this regard.
I don't think it's fair to say "every single piece of software", as the claim that it's impossible to write secure software is just a myth. It's not very hard to write a secure "hello world".
Then there's also Coq and such.
Of course, usually the amount of vulnerabilities exponentially correlates to the size of the codebase.
Every OS that people actually use has boatloads of unpatched security issues.
Related report from Symantec:
http://www.symantec.com/connect/blogs/duqu-20-reemergence-ag...
Eugene Kaspersky: "Why Hacking Us Was A Silly Thing To Do"
http://www.forbes.com/sites/eugenekaspersky/2015/06/10/why-h...
> Various intelligence services seem to be treating the Internet like a battleground in a war, potentially creating new risks for hundreds of millions of people.
The internet was designed to survive a war. Can it handle being the battlefield?
----
> We protect those people in the face of such risks ... generally speaking, deliberately attacking medics on a battleground is simply despicable and disgraceful.
No further comment.
From the Kaspersky link:
I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn’t seem to be worth the risk.
I don't get it: what's the risk here? As far as I can see, the only risk is that their malware is removed from the victim machines. The risk of blowback to the perpetrators is vanishingly small as far as I can see.
Well, the malware used some quite innovative techniques, for example, consider this quote from Ars Technica article:
>Kaspersky researchers have described it as a "0-day trampoline" because it allowed their malicious modules to jump directly into the Windows kernel, the inner part of the operating system that has unfettered access to system memory and all external devices. The trampoline exploit allowed the malware to bypass digital signature requirements designed to prevent the loading of malicious code into the OS kernel space.
>"What is really impressive here—what I call really amazing—is the entire malware platform depends on this zero-day to work," Raiu said. "So if there is no zero day to jump into kernel mode this doesn't work."
Now this will be patched, and they will need something completely different for the next framework.
Follow that thought. If the risk was exposing these techniques, and exposure meant that the attackers would need new techniques, and the attackers were willing to take the risk, then...
Then they probably already have their new techniques all ready to go. Maybe even deployed in the field.
Yeah, this is actually addressed in the further paragraphs:
>Raiu went on to say the reliance on the highly unusual vulnerability is one of the things underscoring Duqu developers' extraordinary talent and the plentiful number of additional unpatched security bugs with the same unusual capabilities they likely have at their disposal.
>"These guys are so confident to develop their entire platform based on this zero day it means if they get caught and this zero day is patched they probably have another one they can use, which I would say is a pretty scary thought," he said. "Nobody develops an entire malware platform based on just one simple assumption that this zero day will work forever, because eventually it will be discovered and patched. And when it is patched your malware is not going to work anymore. I think that's also very scary and quite impressive."
Still the attackers' resources are not unlimited - they lost some development time, and maybe some unique opportunities which were possible only with this particular zero-day.
Perhaps they also knew that other bad actors had already discovered this particular 0-day and wanted it to be outed?
^ This seems like a great way to perform a risky operation and simultaneously stop your adversaries.
> Now this will be patched, and they will need something completely different for the next framework.
Which is probably already developed, tested, and deployed.
One plausible reason is that they wanted to see if some other as yet undisclosed attack has hit Kaspersky's radar. Peek into the detective's briefcase to see if he is investigating something that may expose your bigger caper. There is low risk to being found for your true caper.
At the very least, you use up the particular 0-day attacks you used to gain access to the system - since they had to keep re-using them in order to re-infect machines over reboots there was a pretty high chance that once detected, Kaspersky would discover the exploits being used. Apart from entities like the NSA themselves you probably couldn’t choose a more security aware target.
Any large nation state probably has a nice cache of 0-days ready to roll out at any given time, but they’re still a limited resource that could be used to attack other targets. Attacking Kaspersky pretty much guarantees that the 0-days are blown once the infiltration is discovered.
The Duqu attackers have got a ridiculous bag of zero-days at the ready.
Downvote with no explanation. Someone disagrees that these guys use zero-days? Not to mention some of which include jumping to kernel mode?
2011: CVE-2011-3402
2014: CVE-2014-4148 CVE-2014-6324 CVE-2015-2360
Your comment adds nothing of value to the conversation and provides no sourcing. This is why you have been downvoted.
Technical details were released yesterday:
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...
It's kind of cute how the technical report[1] goes to great lengths to finger Israel, without explicitly stating it (see page 43).
[1] https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...
While I do think it was silly of them to mention the 70th anniversary of Auschwitz's liberation, there were not many who openly opposed the Iran nuclear deal as strongly as Netanyahu's government.
His speech to congress was unprecedented and a sign he was possibly being kept out of the loop in the negotiation deals. I wouldn't blame Obama, Bebe's emotions (or delusions) seem to get in the way of any attempts at peace talks.
I wouldn't be surprised. KL tend to nettle (expose activity of) most western spy agencies while bypassing Russian and to a lesser extent Chinese hacking activities.
Outsiders have no clue about Israel's role in the Equation Group. Or who the Equation Group actually serves, for that matter.
Equation Group was very clearly the NSA, given that actual NSA codenames appeared in the binaries.
Equation Group very clearly includes the NSA. But how do we really know what the NSA is? Given the maze of secrecy, does anyone at the NSA even know what the NSA is, in any comprehensive sense? Or who it serves?
A fair point. One of the most surprising revelations from Snowden is that NSA and GCHQ apparently have conjoined intranets.
Yes, blood brothers ;)
Another surprising revelation was that need-to-know structure isn't necessarily congruent with management structure or chain of command. That is, one can report to someone who isn't authorized to know what one is doing. As I recall, the focus was on financial accountability, duplication of effort, empire building, etc. But there are deeper concerns about accountability.
"Despite the beefed up operational security of the malware, its unmistakable connection to the Duqu 1.0 and the times of day Duqu attackers manually entered Kaspersky's network leave little doubt in the minds of company researchers that the 2011 and 2014 attacks were carried out by the same group."
Not only is this a total stretch, it's complete hearsay.
The reasons for hackers to go after Kaspersky are just as numerous as state sponsored teams to. I find it hard to say it was definitively one or other without further evidence. But in this "government surveillance" panic people are currently in, it's easy to just point a finger and say it was the NSA because this version "looks similar" to another version already deployed.
It's about as solid as saying there were similarities between the type of malware used in the Sony Pictures attack and code used to attack South Korea last year - which was laughed off by most of the info sec community.
Yes, once malware has been found, it can be reverse-engineered and reused. Also, I recall reading that the NSA relied in part on independent consultants in developing Stuxnet etc. Maybe some of those consultants have other pseudonyms, and other clients. So we have malware proliferation. And it's far worse than, for example, nuclear proliferation. Because it's all just bits.
Did you actually read the report? There are similarities that are way more consistent than just "looking similar". I tend to agree that attribution is usually a hard guess, but in this case, it's pretty hard to argue against them. Keep in mind that most of those similarities are totally not on the exploit parts, but on the very little quirks on how to handle the 'trivial' things that are extremely specific to your coder. (Also keep in mind that developing such a framework takes tons of time & money, we're talking about years & millions).
Will be interesting to see who else was targeted by this, looks like Kaspersky is just the first to disclose it:
http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back
"Kaspersky Lab would like to reiterate that these are only preliminary results of the investigation. There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests."
Impressive to see most of the infections lived solely in memory. Along with the zerodays burned for this attack, you can tell this is a very professional team.
I cannot but wonder what would have been the response here if similar attack had occurred inside Google or Facebook.
They might have been attacked too, just not disclosed or even discovered it yet.
This appears to be Israel from the technical report both because of the targets (Iran) and also the timezone data.
So, correct me if I'm wrong: A non-technical user on their network DIDN'T have EMET running? Or did they, perhaps, have an EMET bypass in their shellcode?
If it's the latter, that's what I would be more interested in.
What makes you think that EMET can't be bypassed?