
Duqu 2.0 Hits Kaspersky Lab - ivanblagdan
https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
======
eli
_" By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet
hoping they’d remain undiscovered; and lost."_

That seems like a very nice spin on a successful attack that was eventually
detected. How long were the attackers able to spy on their internal systems?
Perhaps they didn't need ongoing access and simply wished to steal client
files or documents.

~~~
AnonymousPlanet
That was my first thought aswell. One of the main takeaways from this is that
Kaspersky Labs was probably compromised. Or at least there was an attempt. And
the attacker is related to Stuxnet in some way. At least according to
Kaspersky Lab.

~~~
r721
>Kaspersky Labs was probably compromised

Relevant quote:

"Company officials were unable to provide Ars with an estimate of how many
megabytes or gigabytes of data were extracted from their network, in part
because the custom network connections Duqu used may have bypassed normal
logging procedures. The company hasn't ruled out the possibility the attackers
obtained Kaspersky Lab source code, but there are no signs they tried to
compromise any of Kaspersky's 400 million users."

from [http://arstechnica.com/security/2015/06/stepson-of-
stuxnet-s...](http://arstechnica.com/security/2015/06/stepson-of-stuxnet-
stalked-kaspersky-for-months-tapped-iran-nuke-talks/)

------
btilly
The geopolitics of this one is fascinating.

Stuxnet was a combined Israeli/US attack on Iran's nuclear capability.
Kaspersky is a Russian security company which was started with government
support, and is believed to still have connections there. Russia and Iran are
allies.

Now look at how it played out. The US and Israel attacked Iran. Kaspersky
tracked it down and publicized it to the world. And now some combination of
the US, Israel, or close allies launched a spying attack on Kaspersky. Which,
for all we know, may actually be an important part of the Russian
cybersecurity infrastructure.

For all that organizations like the NSA do wrong (like spying on all of us),
this is the kind of thing that we actually wanted them doing when they were
created.

~~~
huhtenberg
> a Russian company started _with government support_

From what I know this is simply not true. Got a source?

But I think your overall point holds. Kaspersky's 400 million user base
includes a boatload of US/Western users, including enterprise and government
clients. This simply cannot NOT be of some concern to respective countries, so
it's perfectly logical that they would want to keep an eye on the situation.

~~~
btilly
I thought I had a source, but when I went looking I found tons of interesting
connections (eg Kaspersky having gotten started in anti-virus while he was
KGB) but no actual proof of involvement.

Given how Russian business works, though, it would seem likely that there is a
connection.

But
[http://www.bloomberg.com/news/articles/2015-03-19/cybersecur...](http://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-
kaspersky-has-close-ties-to-russian-spies) is an article that gives more
recent reason for why Kaspersky is a potentially interesting target for
Western spies.

~~~
AdBait
>tons of interesting connections

Mind sharing those?

>he was KGB.

A claim unsupported by evidence.

>Given how Russian business works

"Given how I assume Russian business works based at most on anecdotal
evidence." FTFY

Anyway I wouldn't bother to reply to your post, if you hadn't had used source
that is full of shit, pardon my French. You can check out Kaspersky's blog for
rebuttal of this article. Now if you insist on inductive reasoning I can offer
you no evidence to the contrary, of course. And no, I don't work for Russian
troll agency and am not Russian in any way. I doubt they would bother with
ycombinator anyway. In no way this is attack on you of course, but I find
these kind of posts severely annoying because of aforementioned reasons.

------
shthed
The Windows 0-day is CVE-2015-2360 from MS15-061, it appears to be the only
one Microsoft admits to have been exploited or used to attack it's customers.

[https://technet.microsoft.com/library/security/ms15-061](https://technet.microsoft.com/library/security/ms15-061)

~~~
joecasson
Even if it's the only one they've admitted to, I think it's readily known that
Microsoft has numerous zero-days (discovered or not) in their software.
Combine that with their prevalence in Enterprise businesses, they're going to
be a logical starting point for any top tier blackhat org.

~~~
yunong
"I think it's readily known that Microsoft has numerous zero-days (discovered
or not) in their software."

This is true for every single piece of software ever written. Msft is no
different in this regard.

~~~
ryanlol
I don't think it's fair to say "every single piece of software", as the claim
that it's impossible to write secure software is just a myth. It's not very
hard to write a secure "hello world".

Then there's also Coq and such.

Of course, usually the amount of vulnerabilities exponentially correlates to
the size of the codebase.

------
r721
Related report from Symantec:

[http://www.symantec.com/connect/blogs/duqu-20-reemergence-
ag...](http://www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-
cyberespionage-threat)

Eugene Kaspersky: "Why Hacking Us Was A Silly Thing To Do"

[http://www.forbes.com/sites/eugenekaspersky/2015/06/10/why-h...](http://www.forbes.com/sites/eugenekaspersky/2015/06/10/why-
hacking-us-was-a-silly-thing-to-do/)

~~~
CWuestefeld
From the Kaspersky link:

 _I can think of several reasons why someone might want to try to steal our
technical data, but each one of them doesn’t seem to be worth the risk._

I don't get it: what's the risk here? As far as I can see, the only risk is
that their malware is removed from the victim machines. The risk of blowback
to the perpetrators is vanishingly small as far as I can see.

~~~
r721
Well, the malware used some quite innovative techniques, for example, consider
this quote from Ars Technica article:

>Kaspersky researchers have described it as a "0-day trampoline" because it
allowed their malicious modules to jump directly into the Windows kernel, the
inner part of the operating system that has unfettered access to system memory
and all external devices. The trampoline exploit allowed the malware to bypass
digital signature requirements designed to prevent the loading of malicious
code into the OS kernel space.

>"What is really impressive here—what I call really amazing—is the entire
malware platform depends on this zero-day to work," Raiu said. "So if there is
no zero day to jump into kernel mode this doesn't work."

Now this will be patched, and they will need something completely different
for the next framework.

~~~
AnimalMuppet
Follow that thought. If the risk was exposing these techniques, and exposure
meant that the attackers would need new techniques, and the attackers were
willing to take the risk, then...

Then they probably already have their new techniques all ready to go. Maybe
even deployed in the field.

~~~
mark-r
Perhaps they also knew that other bad actors had already discovered this
particular 0-day and _wanted_ it to be outed?

~~~
stirlo
^ This seems like a great way to perform a risky operation and simultaneously
stop your adversaries.

------
nerdy
The Duqu attackers have got a ridiculous bag of zero-days at the ready.

~~~
nerdy
Downvote with no explanation. Someone disagrees that these guys use zero-days?
Not to mention some of which include jumping to kernel mode?

2011: CVE-2011-3402

2014: CVE-2014-4148 CVE-2014-6324 CVE-2015-2360

~~~
stirlo
Your comment adds nothing of value to the conversation and provides no
sourcing. This is why you have been downvoted.

------
omgitstom
Technical details were released yesterday:

[https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf)

------
dmgbrn
It's kind of cute how the technical report[1] goes to great lengths to finger
Israel, without explicitly stating it (see page 43).

[1]
[https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf)

~~~
mc32
I wouldn't be surprised. KL tend to nettle (expose activity of) most western
spy agencies while bypassing Russian and to a lesser extent Chinese hacking
activities.

------
at-fates-hands
_" Despite the beefed up operational security of the malware, its unmistakable
connection to the Duqu 1.0 and the times of day Duqu attackers manually
entered Kaspersky's network leave little doubt in the minds of company
researchers that the 2011 and 2014 attacks were carried out by the same
group."_

Not only is this a total stretch, it's complete hearsay.

The reasons for hackers to go after Kaspersky are just as numerous as state
sponsored teams to. I find it hard to say it was definitively one or other
without further evidence. But in this "government surveillance" panic people
are currently in, it's easy to just point a finger and say it was the NSA
because this version "looks similar" to another version already deployed.

It's about as solid as saying there were similarities between the type of
malware used in the Sony Pictures attack and code used to attack South Korea
last year - which was laughed off by most of the info sec community.

~~~
mirimir
Yes, once malware has been found, it can be reverse-engineered and reused.
Also, I recall reading that the NSA relied in part on independent consultants
in developing Stuxnet etc. Maybe some of those consultants have other
pseudonyms, and other clients. So we have malware proliferation. And it's far
worse than, for example, nuclear proliferation. Because it's all just bits.

------
shthed
Will be interesting to see who else was targeted by this, looks like Kaspersky
is just the first to disclose it:

[http://www.kaspersky.com/about/news/virus/2015/Duqu-is-
back](http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back)

"Kaspersky Lab would like to reiterate that these are only preliminary results
of the investigation. There is no doubt that this attack had a much wider
geographical reach and many more targets. But judging from what the company
already knows, Duqu 2.0 has been used to attack a complex range of targets at
the highest levels with similarly varied geo-political interests."

------
concernedctzn
Impressive to see most of the infections lived solely in memory. Along with
the zerodays burned for this attack, you can tell this is a very professional
team.

------
dbhattar
I cannot but wonder what would have been the response here if similar attack
had occurred inside Google or Facebook.

~~~
shthed
They might have been attacked too, just not disclosed or even discovered it
yet.

------
bhouston
This appears to be Israel from the technical report both because of the
targets (Iran) and also the timezone data.

------
sarciszewski
So, correct me if I'm wrong: A non-technical user on their network DIDN'T have
EMET running? Or did they, perhaps, have an EMET bypass in their shellcode?

If it's the latter, that's what I would be more interested in.

~~~
rjaco31
What makes you think that EMET can't be bypassed?

