The short answer: it’s not. This was certainly the case for Kaspersky Labs, who announced yesterday that its corporate networks were hacked using a sophisticated advanced persistent threat (APT) dubbed Duqu 2.0. Though the word “sophisticated” is used rather liberally these days when describing data breaches, this new threat is by all accounts the most advanced of its kind.
Kaspersky’s data breach comes on the heels of last week’s announcement that the US Government was also the victim of an elaborate APT—also noted for its unprecedented sophistication and audacity. If leading IT security firms and the government are ineffective in their IT security efforts, then what hope is there for enterprises—especially if the average cost of developing and maintaining a malicious APT framework runs upwards of $50 million?
This is Kaspersky’s estimated price tag for an APT like Duqu 2.0. Unsurprisingly, the security firm’s breach—as well as the US Government hack—was attributed to a nation-state, the only deep-pocketed entity capable of funding such activities. And like any self-respecting nation state, its intent was cyber-espionage— specifically, to steal information regarding next-generation security defense tools in development at Kasparov Labs. In other words, the attackers were carrying out nefarious research for building future APTs.
More About Duqu 2.0
Kaspersky Labs reportedly discovered Duqu 2.0 on its network while testing a prototype of an anti-APT solution. Ironically, the firm was able to identify and neutralize the threat with the prototype, but since the compromise attempt was carried out in order to gain knowledge of future anti-APT solutions, the prototype may have been part of what the hackers were looking for. As this notion is undoubtedly distressing for current and future Kaspersky Labs product owners, the company’s namesake tweeted the following shortly after the attack:
Like Stuxnet and the original Duqu worm, Duqu 2.0 is a composite threat that works by combining malware with zero-day exploits for a multi-pronged attack. The zero-day exploits are used to gain elevated privileges for propagating the worm—additionally, Duqu 2.0’s toolset remains almost entirely in memory, making it hard to detect and trace. Utilizing volatile memory for intrusion purposes is nothing new—POS RAM-scraping malware is another common threat covered extensively; check out our post Rethinking Information Security To Battle POS RAM-Scraping Malware to learn more.
Residing almost exclusively in memory also makes Duqu 2.0 especially capable for re-infecting systems. Technically, if an Duqu-infected system is rebooted the malware should disappear from its memory—as mentioned previously, this also makes the threat hard to detect and trace as no disk writes or system settings changes have been made. But because the malware is deployed across the network with Software Installer (MSI) files, compromised domain controllers can be triggered to redistribute the malware at any point.
Duqu 2.0 utilizes up to three zero-day vulnerabilities in its attack. The attackers seem to have exploited up to three zero-day vulnerabilities, the most recent of which (CVE-2015-2360) was patched by Microsoft on June 9th, 2015. More in-depth details regarding Duqu 2.0 is available in Kaspersky Lab’s technical bulletin addressing the threat.
Duqu 2.0 Recourse Measures
Expensive, sophisticated, and hard to detect—these are words that describe the next generation of cyber threats looming on the horizon. However, despite the scale and cost of development, one doesn’t need a $50 million IT security budget to battle threats like Duqu 2.0. Establishing proper control methods to counter the social engineering tactics of hackers should be foundational component of an enterprise’s information security strategy. For example, employees are almost always culpable when it comes to email-triggered malware (e.g., opening infected email file attachments).
From a systems perspective, Kaspersky Labs cites the Australian Department of Defence’s guidelines for fighting APTs as the best publicly available guidelines from a government organization on how to successfully fight emerging threats. By implementing the following four strategies, one can mitigate 85% of threats:
use application whitelisting to help prevent malicious software and unapproved programs from running
patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
patch operating system vulnerabilities
restrict administrative privileges to operating systems and applications based on user duties.
Tools like UpGuard can be used to not only identify and constantly monitor for vulnerabilities, but can also integrate with other complementary tools to fill out the continuous security toolchain. Since threats these days are rely on multiple tools and tactics, information security should also follow suit. Building a sustainable and scalable continuous security toolchain means merging the best tools into a framework that responds to each organization’s unique security needs. UpGuard provides continuous security monitoring and vulnerability assessment capabilities that dovetail with other security tools, enabling complete visibility and validation critical for end-to-end security.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >