Duqu 2.0

Introduction

On the 9th June 2015, Kaspersky announced to the world that they had been a victim of a cyber attack that targeted their own corporate network.  If an organisation like Kaspersky can become a victim of a cyber attack of this magnitude, all organisations can potentially become victims.  Data is the lifeblood of any organisation and the loss of critical data could mean the demise of that organisation.

Analysis

Kaspersky, a Moscow-based security company, disclosed details of a cyber attack that they had been victim of.  After its discovery, Kaspersky launched an extensive investigation, gathering the facts and sharing the findings with the world.  The attack was dubbed Duqu 2.0, due to its similarity to an attack known as Duqu which was first spotted in 2011.  The use of Duqu and Duqu 2.0 is attributed to nation-state sponsored attacks, in this case trying to discover intellectual property, such as research into advanced persistent threats (APTs).

Cyber Kill Chain

The comprehensive nature of the attack meant it was highly likely to succeed.   Lockheed-Martin’s Cyber Kill Chain breaks down a cyber attack into seven steps.  Some attacks may only use some of these steps, while others will repeat them when attacking multiple systems prior to attacking the intended target.  The Duqu 2.0 attack not only followed the kill chain, but there were also elements repeated to make the attack more covert.

Reconnaissance/Weaponisation/Delivery /Exploitation

It is believed that an employee in one of the APAC offices was a target of a spear-phishing email, with a lure and redirect to a malicious dropper file that exploited a specific unpatched zero day vulnerability.  The attack was thorough, ensuring emails and browser history were cleared of all traces of the compromise.  Kaspersky confirm the machine was fully patched leading to the assumption of a zero day exploitation.

Installation/Weaponisation/Delivery/Exploitation/Installation

Once on the network, the attacker was able to escalate unprivileged credentials to that of the Windows domain administrator using another zero day vulnerability. The attacker was then able to explore the network by moving laterally and deciding which machines to compromise.  Microsoft Windows Installer Packages were used to deploy Duqu 2.0 into the network.  The attack software runs in memory, where most modern production servers have high uptimes and are rarely power cycled.  Had the machine been power cycled, it would have quickly been re-infected.

Command and Control/Action on Objectives

Once the desired information was found by the attacker, the data was exfiltrated out of the network.  Kaspersky have reported that non-critical information was taken as part of the attack.

Prevention

By analysing the sequence of the attack, a number of mitigating controls could be used to prevent the Duqu 2.0 and similar attacks.  Many of these elements may have been caught in isolation, but the prevention of the attack would need a more integrated approach to security.  The end goal for the attacker is to steal data.

Spear-phishing

The entry point to the network was to specifically target an individual or small group of people.  This highlights the need for user education at every level and every department of an organisation.  In conjunction with education, an email security gateway with sandboxing technology may have prevented Duqu 2.0 from entering the network.

Web Access

An exploit kit would have been introduced to the network to check for unpatched and zero day vulnerabilities.  This was delivered through the web vector as a malicious link or a compromised site with a malicious file.  The presence of this could have been detected with a web security gateway, ideally with a sandboxing solution to check the functionality of the file.

Zero Day vulnerabilities

The patching of operating systems, browsers, third party software and plug-in is highly recommended, although this will not prevent zero day vulnerabilities from being exploited.  The removal of non-essential software from a computer will help reduce the surface area of attack, and the use of host based firewalls and host intrusion protection system can help.

Administrative Credentials

The administrative credentials within the network were compromised, which allowed the lateral movement within the network.  This is a shortcoming of using static passwords for a period of time before being cycled; giving a window of exposure if the password is compromised.  A privileged access management solution, would cycle the administrative credentials after each use and video record each session.  This would give a greater level of security to the credentials and traceability on what each administrative session had executed.

Lateral Movement

Many networks are segmented using VLANs, which offer limited security.  Micro-segmentation would provide protection to the servers or groups of servers, with security controls to prevent the East-West movement within a network.  When coupled with a security analytics engine, this would give context to the abnormal traffic within the network.

Resident in memory

As Duqu 2.0 resides in memory, there are a number of mitigations that could have prevented this.  The simple act of rebooting the server would have cleared the application from memory, although this can be difficult to routinely perform on critical production servers.  Whitelisting application control solutions would have stopped the MSI from executing into memory by simply preventing the unknown application from running. 

Data Exfiltration

A gateway data loss prevention solution would have seen the data leaving the network.  It is especially important that the solution is able to analyse the data being drip fed out, piecing together many smaller exfiltrations to gain visibility of the overall loss and give context to the data leaving.

The Future

The Duqu 2.0 attack follows the seven stage cyber kill chain. Preventing the attack at any one of those steps would have ultimately stopped data loss.  Kaspersky caught the attack before critical data loss had occurred.  As attacks such as these are published it raises the profile for both vendors and attackers.  These techniques could still be used against any organisation, with the ultimate goal of stealing data.

To prevent these attacks, security vendors will need to take a more holistic view of security working with other vendors to specialise in the areas they don’t.  We see this collaborative working with technical partnerships by vendors, and with OEM agreements in the supply point solutions.  Alternatively security vendors need to take a more comprehensive approach tackling all the stages of the kill chain with integrated solutions.

The solutions need to become less reactive to the known and more proactive to the unknown.  There needs to be more focus on how security solutions deal with anomalies, where prevention and remediation is far more important than notification.  With a security staff shortage and the gap growing year on year, the vendors have the supply security intelligence in their solutions. The future for these solutions is not to supply data logs and notifications, but to provide context and proactive remediation through intelligent analytics.

In the short term, ensure endpoint security solutions are running the latest versions, with the latest updates and the recommended features are enable.  There needs to be a focus on running supported operating systems, with the latest patches, and to ensure that third party software and plugs-ins are updated as well.  Any web and email security solutions need to be updated and the security policies regularly reviewed.  The final piece is user education, which should be ongoing process, where the learning is engaging, flexible and relevant.

As these attacks become more mainstream where vertical and size no longer matter, look to future solutions that are able to tackle all stages of the kill chain, providing intelligence and context; and ultimately prevent the organisation’s data from entering the wrong hands.