Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
recently i blogged already how important it is to apply today’s threat intelligence information to historical data. I gave the example the Duqu malware, which contained a self destroy capability to remain hidden. It seems the hiding strategy has evolved to a new level…
Today (10th June) Kaspersky Labs announced that they have been attacked by a new version of Duqu. At the time of writing it has been imaginatively named Duqu 2.0. It’s a very sophisticated piece of cyber-espionage malware and speculation is that it was a nation-state behind the attack with an estimated cost to creation the malware of around $50 million. The entire malware platform relies heavily on zero-day vulnerabilities to jump into systems and from current research it doesn’t seem as if the objective of the attack is financial gain.
The initial infection began through a targeted attack of an employee in one of their smaller APAC offices. The original infection vector for Duqu 2.0 is unknown, but they suspect a spear-phishing e-mail played an important role because they found indications like mailbox and web browser history was wiped to hide traces of the attack.
It is one of the rare malware types the researchers found that purely lives in the memory of machines. The creators are using zero day exploits and are so sure that in the network is always a infected host online that is able to infect other systems with a vulnerability in case the memory is erased.
The creator of the malware seems to be very confident that they have a set of zero-day vulnerabilities that even if the current used vulnerability is patched they can exploit with the next unknown one in the same environment to remain in organizations.
It’s bizzar, cleaning an environment can be done by shutting down all systems or simulating a power outage. However if you miss one system that is infected and has Duqu 2.0 in memory it will re-infect the others once they’re online again.
Kaspersky Lab published a great tech paper about the technical details, what the malware looks like, what tools it uses, what capabilities it has and how it communicates.
Kaspersky Researchers created an Indicator of Compromise (IOC) file. That one includes MD5 hashes from action loaders, MD5s from Cores and IP Address from Command and Control Servers. You can simply search for historic IP communication in your firewall logs with Splunk or if you have endpoint change/monitoring systems that give you MD5 hashes of started processes, then you can search them as well. If you use Splunk Enterprise Security you just need to download the IOC and feed it into Enterprise Security. Splunk Enterprise Security will automatically process the IOC and give you historic reports as well as real-time notifications in case you will be attacked in the near future.
This is a good documented example of what threats organizations face today. You can learn how you can improve your strategy by using the kill chain methodology to defend against those kind of APT’s and finding them in different stages as early as possible.