The existence of a new version of the notorious Duqu worm has come to light this week. This highly sophisticated piece of malware has been used by threat actors in targeted attacks aimed at several major organizations, including Russia-based security firm Kaspersky Lab.
Kaspersky Lab spotted Duqu 2.0 on its networks while testing a prototype of a new technology designed to detect advanced persistent threats (APTs). The malware evades detection by residing only in the system’s memory, and by using infected network gateways and firewalls to communicate with command and control (C&C) servers.
The reason why the attackers targeted the security firm is unclear; they might have been after technologies, source code, information on the inner workings of the company, or details on ongoing investigations and research methods.
Kaspersky Lab wasn’t the only company targeted with Duqu 2.0. A majority of the new 2014 and 2015 infections are linked to P5+1 events and venues related to Iran nuclear talks.
Symantec has also analyzed Duqu 2.0 and discovered that the attackers targeted a telecommunications operator in Europe, one in North Africa, and a Southeast Asian electronic equipment manufacturer. Infections have also been spotted in the United States, the United Kingdom, Sweden, India, and Hong Kong.
Attribution is difficult so Kaspersky Lab and Symantec have refrained from pointing the finger at anyone, but one of the main suspects appears to be Israel.
Experts contacted by SecurityWeek have commented on the similarities between these Duqu 2.0 attacks and other operations, the malware’s level of sophistication, methods that can be used to identify such threats, and the possible involvement of Israel.
And the feedback begins...
Dr. Fengmin Gong, co-founder & CSO, Cyphort:
“Duqu 2.0 is no doubt by the same actor group as Duqu, and although Duqu 2.0 wasn’t reported until recently, the samples being analyzed were actually from 2014 suggesting threat activities started at least last year. As evidence of "handwriting" fingerprints, not only that there are clear derivative enhancements typically associated with newer releases of the same software from the same authors, the same logging design and code-assignment is used; the same bug exits in both the old Duqu and Duqu 2.0 samples. Duqu uses Cipher Block Chaining mode of AES encryption to protect its configuration file. The same prepare_key method (in object oriented programming) is used in both Duqu and Duqu 2.0, but the old Duqu version only supports fixed 256-bit encryption key while the new Duqu 2.0 support 128bit, 192bit, and 512bit keys with the addition of the parameter for key size; however, in the encryption implementation, both versions have a bug in handling the corner case where the input data is less than 16 bytes.
The first Duqu is like a "cousin" of Stuxnet. In light of Duqu 2.0 involvement in compromising Kaspersky, it is a safe bet that Duqu is associated with the "Five Eyes" alliance, comprising Australia, Canada, New Zealand, the United Kingdom and the United States, and possibly Israel. Duqu 2.0 comes with the most comprehensive and sophisticated set of payload capabilities for persistence, target-system dis-armoring, lateral spread, and data collection. Considering its discovered releases associated with important events."
Andrew Conway, research analyst at Cloudmark:
"Though they never name them explicitly, Kaspersky goes to some lengths to present the evidence that Duqu is in fact the work of Israeli intelligence services. Firstly, they show the connections between the Duqu 1.0 attack and the Duqu 2.0 attack, and conclude that Duqu 2.0 could not have been written without access to Duqu 1.0 source code, which was never made public. By an analysis of the times of command and control activity and compiler timestamps, they concluded that the Duqu 1.0 attack came from a country that is located in the GMT+2 or +3 time zone, where the work week starts on Sunday and ends with a short day on Friday. They also noted that Jan. 1st appeared to be a business day in this country. Israel is the only country with a significant cyber espionage capability that matches this profile. (Parts of Russia are in the same time zone, but they don't work on Sundays.) Some of the Duqu attacks were targeted at the negotiations over Iran's nuclear program, which would also be consistent with Israel being responsible.
In attacks this sophisticated, some would consider the possibility that the U.S. intelligence services are responsible. However, Kaspersky points out that Duqu appears to be operating independently of the Equation group (in fact, they found one machine that was infected by both Duqu and Equation malware) and the Equation group is believed by some to be the NSA.
Duqu appears to be the most sophisticated nation state espionage tool yet discovered. It relies heavily on zero day vulnerabilities in Microsoft software to gain access and spread from machine to machine. I strongly suspect that the authors had access to Microsoft source code in order to discover and exploit these zero days. In his keynote address at the 2014 RSA conference, Microsoft's Scott Charney admitted that Microsoft source code was made available to foreign governments, so that they could ensure it was secure. This is actually the worst possible approach. Nation state security services have access to the source code to look for vulnerabilities, but white hat security researchers do not. If Microsoft is going to share their source code with potentially malicious actors, they should make it open source and offer a generous bug bounty, so that it is subject to security review by people who are actually interested in making the Internet more secure."
Gautam Aggarwal, Chief Marketing Officer, Bay Dynamics:
“There is a high chance this was a new variation of Duqu – i.e. in-memory attack so nothing gets written directly to the system, and there are no traces of this attack once the system goes through a reboot; hence it being extremely difficult to detect. As Kaspersky Lab shared that they are doing their due diligence to see what happened and what exactly was lost, the reason it is a challenge for them as this is most likely due to the fact that the attacker rebooted the system, leaving no traces of the attack or what was actually scanned within the system.
We definitely have not seen the end of this story. This is a very similar pattern to what happened to RSA in March 2011. They were the primary attack victim where RSA SecurID group was perpetrated which manufactures the Two-Factor hardware authentication tokens. In May 2011, we heard about a major data breach at US Defense Contractor Lockheed Martin. This was a secondary attack where attackers reportedly exploited Lockheed’s VPN access system, which allows employees to log in remotely by using their RSA SecurID hardware tokens. That suggests that whoever attacked Lockheed Martin may also have been behind the successful breach at RSA.
Similarly, my feeling is the attackers were looking for vulnerabilities in Kaspersky’s secure OS so that the same can be exploited at client sites where they are deployed. This is how attackers would inflict a larger collateral damage.”
Jeremy Scott, senior research analyst, Solutionary:
“The actors behind Duqu are speculative at best, but some have pointed fingers to the United States and/or Israel. Kaspersky discovered that Duqu infections, which were first discovered by CrySys, were common with Equation group intrusions. The actors have been dubbed “Duqu group” based on the malware itself or “Tilded team” based on the framework used for the malware development that uses a tilde (~) at the beginning of the files. There are also similarities with the “Tilded” framework in the Stuxnet and Flame code which leads researchers to believe that the actors behind Stuxnet are the same or working with the Duqu actors.
As far as the Kaspersky Lab intrusion, which was investigated and reported by Kaspersky, it’s not exactly clear the motivation of the intrusion. It’s not uncommon for APT groups to infiltrate security vendors to gain information about operations, products, detection methods, future products, etc. Again, purely speculative, but according to Kaspersky there was very specific information that they were focusing on.
Picking targets and target organizations by APT groups is not purely random as it is with the crimeware world. The actors behind Duqu, as well as Stuxnet, have a particular interest with Iran and its nuclear capabilities. I have not seen any specifics on the targeting of organizations involved in Iran nuclear talks, but it can be assumed that if targeting is happening then those involved would be good targets.”
Aaron Shelmire, senior threat researcher, ThreatStream:
"At ThreatStream, we would be surprised if the advanced actors were not attempting to gather inside information from security organizations. These actors have a vested interest in understanding the defensive tools and techniques that are used to detect and stop them from reaching their objectives.
Kaspersky took a refreshing leadership position by publishing a detailed document of the intrusion and what their analysts found. Many of the general techniques described in the paper (such as relying upon driver-based tools on externally facing servers, while pivoting internally without the use of persistent tools) are not unique to that threat actor. These types of lessons learned are helpful to the security community as a whole, by providing analysts with a first-hand account of what offensive techniques they need to be able to detect and defend against. "
Muddu Sudhakar, CEO of Caspida:
"Duqu is a family of malware first discovered in 2011. It has significant code similarities to Stuxnet, suggesting that it may have originated from the same source or was written by actors with access to the Stuxnet source code. Earlier this spring, Kaspersky Lab discovered that it had been compromised with malware believed to be from the Duqu threat actors, and dubbed the attack "Duqu 2.0.
Both the original and the new Duqu attack leverage advanced techniques such as zero-day vulnerabilities and stolen code-signing certificates. Both attacks also appear to be modular platforms for information stealing – the original attack gathered information about industrial control systems, with the ability to steal digital certificates and private encryption keys. In light of these and other factors, many security professionals believe that the Duqu threat group is sponsored by Israel with the aim of targeting Iran's nuclear program.
The recent Duqu 2.0 attack is yet another example of how sophisticated threats are able to fool existing security gateways. In this case, Duqu's creators learned about Kaspersky Lab’s methods in order to write malware capable of evading known blocking techniques. These increasingly sophisticated techniques illuminate the limitation of static rules or signature based techniques, regardless of how advanced they might be."
Oliver Tavakoli, Vectra Networks CTO:
“The Duqu 2.0 attack is a perfect example of why behavioral approaches to detection are essential in the face of a sophisticated attack. From Kasperky’s analysis, the attackers exploited zero-day vulnerabilities to infect a user and gain administrator privileges. From this point, the attacker performed an internal reconnaissance and then performed a pass-the-hash technique to move laterally within the network. The attackers then created MSI packages to infect additional machines.
While the exploits of the zero-day vulnerabilities were undetectable, the reconnaissance and spreading behaviors that followed are clearly observable by tracking the internal behavior on the network. Although the attack was sophisticated, the fundamental steps required to advance the attack toward the attacker’s ultimate goal remain the same. There will always be new vulnerabilities and exploits, but the attacker’s actions after gaining a foothold will continue to give them away.”
Morten Kjaersgaard, Heimdal Security CEO:
“The attack on Kaspersky is unfortunate and it relates to a reality that all security companies need to be aware of:
We need to accept that we are a more interesting target than many others. It’s very important that both businesses and individuals acknowledge the threat posed by Duqu/Stuxnet type of worms and that they are actively used for spying across the world.
The fact that multiple Zero Day vulnerabilities were used in the ill fated attack against Kaspersky shows the imperative need to keep our software updated at all times to patch vulnerabilities and reduce the risk of infection. For example, Adobe’s critical update for Flash Player released on June 9 or one of the 8 security vulnerabilities patched by Microsoft this month could have been used in this attack.
Either as a business owner or individual user, you need to move quickly on getting rid of vulnerabilities, as they are the prefered attack angle for cyber criminals in more than 70% of cases. Having accepted your risk of unknowingly having an infection, you must also actively protect against data leakage by using an APT protection solution to block threats and monitor what is happening on your devices.
We are all obliged to contribute to the fight against cyber crime the best way we can.”
Patrick Belcher, Director of Malware Analysis at Invincea:
"The Duqu2 attack showed some similarities to the Anthem and White House APT attacks. In each instance, the victims were highly security-aware personnel - people who are taught to be wary of email attachments and links - yet they fell prey to spear-phishing. This trend highlights that despite current defense-in-depth approaches and security training, the soft target remains the user behind the keyboard. Unless the industry gets serious about hardening end user devices through breach prevention technology, this trend will likely continue."
Rob Sadowski, Director of Technology Solutions at RSA:
“This attack on Kaspersky should provide further incentive for organizations to frequently update their risk and threat assessments and broaden their aperture as concerns potential attackers. Many more private sector organizations need to consider the possibility of nation-state or nation-state level actors targeting their operations or intellectual property and adjust their defense strategies accordingly. Despite the importance of continuous risk assessment and re-evaluation, in recent RSA research, 45% of global organizations described their capabilities as non-existent or ad hoc in this essential discipline, a troubling sign.
The details disclosed about the attack and the attacker TTPs also demonstrate how essential granular network and endpoint forensics are in detecting the activity of highly sophisticated attackers, as well as the required capability to move beyond detection of a single infected host to a full picture of all the adversary’s activity inside the compromised infrastructure in order to disrupt and remediate this level of attack.”
Karl Sigler, Threat Intelligence Manager at Trustwave:
“Duqu 2.0 is YAAPT (Yet Another Advanced Persistent Threat) using anti-forensic evasion techniques and zero day exploits. Targeted attacks like these go to long lengths to prevent being detected. The campaign utilized three zero day vulnerabilities, gained domain administrative access and spread itself to other systems as an MSI file. Unlike most malware campaigns, it also avoided permanence or persistence in order to achieve a higher level of stealth. It’s clear the criminals behind this campaign have in-depth technical expertise.
Network monitoring can provide an early warning to these types of attacks. In fact, this campaign was initially spotted through some anomalous, unexpected network traffic. The campaign also demonstrates that there is no such thing as 100% security. Being able to identify a compromise quickly and recover after a breach is just as important as the proactive measures to prevent a breach from the get-go. Our recently released 2015 Trustwave Global Security Report shows that in 2014 there was a median time of just over two weeks from intrusion to containment for organizations that detect a breach themselves. For organizations that found out through a third party they had been breached the median time from intrusion to containment was 154 days.”
Dan Lohrmann, Chief Strategist and CSO of Security Mentor:
“Based on the reports by Kaspersky, and independently verified by Symantec, Duqu 2.0 is another example of the growing number of advanced cyber-threats being used by nation-states in the most sensitive of situations. These advanced, expensive cyber-weapons are being created at the high end of the “cyber food chain.” We have entered a new era which is similar to the Cold War in the 20th century, with 21st century cyber weapons being used in place of nuclear weapons.
However, unlike with nuclear weapons, there is a major impact to global business in the use of these new cyber-weapons. New types of malware are trickling down in various forms to be used to steal intellectual property and infiltrate organization’s most sensitive communications and secrets. Inevitably, when this malware genie is out of the bottle, it is very difficult to control what happens next. Welcome to the new world of cyber espionage.”
Ivan Shefrin, Vice President, Security Solutions, TaaSera:
“The recently publicized Duqu 2.0 attacks on both the Iran nuclear negotiations and Kaspersky Labs have several facts in common: both were targeted, meant to steal highly confidential information, and undiscovered until after a data breach occurred.
They also highlight the need for IT security teams to find new ways for early detection. Our industry needs to move beyond traditional signature-based firewall and antivirus defenses. We should more aggressively implement behavior-based solutions for uncovering hidden malicious breach indicators moving laterally within their target environments. We must pair behavior detection with automated analytics that speed detection and response time for the professionals tasked with intervention.”