Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Kaspersky Lab Reveals Cyberattack On Its Corporate Network 73

An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."
This discussion has been archived. No new comments can be posted.

Kaspersky Lab Reveals Cyberattack On Its Corporate Network

Comments Filter:
  • If only (Score:5, Funny)

    by penguinoid ( 724646 ) on Wednesday June 10, 2015 @05:01PM (#49886901) Homepage Journal

    If only they had an antivirus installed.

    • Did they not have a subscription to McCaffe? How embarrassing, there should be a free voucher around somewhere...

  • Hyperbole (Score:5, Insightful)

    by The Raven ( 30575 ) on Wednesday June 10, 2015 @05:02PM (#49886913) Homepage

    Kasperski must characterize the malware as ultra-advanced, targeted, government hacking. Otherwise they look like fools for being penetrated.

    I'm not saying they are lying; I'm saying there is no way to tell, because their success as a company depends on them assuring everyone that they can competently defend against ordinary malware.

    • by Firethorn ( 177587 ) on Wednesday June 10, 2015 @05:06PM (#49886949) Homepage Journal

      It would have been funnier if in front of 'network' was 'honeypot'. Not to mention more impressive competence wise.

      "Yeah, that network you hacked? Those terabytes of data you stole? It was a honeypot network, we were having bets on what you'd do next, and the terabytes of data was all randomly generated using SCIGen and such. Oh, and 50% horse cock porn. You didn't rate midget porn."

      • That is completely unprofessional.

        At most, it should be 5% horse cock porn so they have to look a bit harder to find it.

        • At most, it should be 5% horse cock porn so they have to look a bit harder to find it.

          Good point. But I was picturing it being in any databases and such as well, thus inflating sizes and requiring analysis to access, at which point it's not until they try jpg encoding that they get the horse picture on their monitor. ;) So 10%?

    • And to be fair (although in the same way you would be fair to morons), from their perspective, it was an advanced attack, because they didn't know how to stop it.
    • by Anonymous Coward

      If you read the report, the details seem to back up their comments. I mean, I agree with at face value, but when they do provide quite a bit of details. You're welcome to look through them and determine for yourself if the attacks were trivial or advanced.

    • by Anonymous Coward

      If they're not lying about it being based on Duqu, then you're just revealing how little you know about Duqu.

    • by gl4ss ( 559668 )

      you know what would be funny?

      if "Microsoft Software Installer" files the refer to would just be malware.msi and NOT the malware injecting itself into some other softwares msi files. which still sounds a bit lame and well, NOT VERY ZERO DAY method at all. sounds more like how viruses worked 20 years ago to be honest.

      anyway. kaspersky.. the great tool that you need another tool to remove.

  • because i don't have time to bleed. all other priorities rescinded.
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Wednesday June 10, 2015 @05:10PM (#49886999)
    Comment removed based on user account deletion
    • by Whiteox ( 919863 )

      Because they test and develop for Win machines. There other stuff is *nix based.

    • Because their customers run punching-bag OSs like Microsoft? This illustrates how fucking hard the problem of internet security is though. I don't believe a state sponsor did this; I'll bet it was one of the usual cast of scoundrels coupled with some social engineering at a weak point (maybe the new secretary at the front desk?). Big networks mean many points of potential weakness. When an infinite army of monkeys on computers wants in to your system, you cannot let your guard down for one freaking second,
      • by Anonymous Coward

        or you just have an acceptable amount of security in order to still perform day-to-day activities, and deal with the once in a while disaster...

        fires, floods, loss of power, etc. whatever. unless you're a hospital or something it's pointless to worry so much about it. You can think of all the hypothetical money lost and this and that, but when it comes down to it, life and your next day isn't even a guarantee.

      • Because their customers run punching-bag OSs like Microsoft?

        I agree 120%. It would be utterly ridiculous to have separate machines for testing & experimentation that are totally isolated from the ones you run your operations on.

  • by VikingThunder ( 924574 ) on Wednesday June 10, 2015 @05:20PM (#49887045)
    FYI: Here is the link to Kapersky's report of the incident: https://securelist.com/files/2... [securelist.com]
    • Have Kapersky considered running their business off of bootable CDs?

      "In 2011, we were able to identify Duqu attacks that used Word Documents containing an exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious embedded TTF (True Type Font File). This exploit allowed the attackers to jump directly into Kernel mode from a Word Document, a very powerful, extremely rare, technique.

      A similar technique and zero-day exploit ( 4CVE-2014-4148) appeared again in June 2014, as part of an
      • by plover ( 150551 ) on Wednesday June 10, 2015 @10:26PM (#49888529) Homepage Journal

        Have Kapersky considered running their business off of bootable CDs?

        Read further down in the Fine Report, and you'll see why that strategy probably wouldn't have helped much. After the initial installation, the Command and Control network ran almost exclusively in RAM on Kaspersky's servers; the executable files were deleted to leave as few detectable traces as possible. Of course that meant the malware would be lost during a server reboot, so it depended on the actions of the other nearby servers that would eventually detect the rebooted server was uninfected, and would then re-infect it. And just in case Kaspersky's admins rebooted all servers simultaneously, wiping out the entire C&C system, they left a back door open in the form of a few unimportant PCs infected with persistent malware that would simply launch reverse tunneling proxies at startup. The attackers would have been able to reenter the network without needing to phish them again.

    • by Anonymous Coward

      This... is kind of nuts. How in the hell can people expect to defend against this level of sophistication? The sheer man hours that went into this is a pretty good indicator that it was probably state sponsored.

  • by freeze128 ( 544774 ) on Wednesday June 10, 2015 @05:36PM (#49887171)
    What is the new attack like, in terms of Muppets?
    • What is the new attack like, in terms of Muppets?

      In the aftermath of the attack, Oscar the Grouch mistook their lab for his home.

  • Test run (Score:5, Funny)

    by Jumunquo ( 2988827 ) on Wednesday June 10, 2015 @05:41PM (#49887205)

    Ah, so the Russians tested on themselves before deploying to Germany.

    • Re:Test run (Score:4, Insightful)

      by Anonymous Coward on Wednesday June 10, 2015 @05:48PM (#49887237)

      Have a look at the report, if it is to be believed then all fingers point to Israel...

      • by plover ( 150551 )

        Keep reading the report, and you'll see that they doubled back and covered their other tracks several times. Scheduling the malware activity levels to coincide with Israel's work week would be in keeping with the other forms of camouflage and diversion that were employed by Duqu 2.0's operators, and prove almost nothing at all.

        Various leaks after the fact strongly implicated Israel was responsible for Stuxnet (including a YouTube video of an IDF general being congratulated on his team's creation of the mal

        • The report says that at least one victim has been targeted by Equation Group (NSA) and Duqu simultaneously. The targeting of something related to a WW2 anniversary also strongly suggests Israel.

      • And why would a Russian firm have an interest in doing so...? Oh wait.

        There are plenty of top-notch cybersecurity firms across the globe. How does Kapersky magically track down all these threats that others do not, and how are they all coincidentally coming from enemies of their greatest military customer, Iran?

        If you honestly think that a country the size of Israel is more active in this area than the rest of the world combined, I suggest you take a second look.

  • What was the goal ? (Score:5, Interesting)

    by eulernet ( 1132389 ) on Wednesday June 10, 2015 @06:14PM (#49887393)

    Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

    My hypothesis is that the attackers wanted to retrieve all source code from Kaspersky Labs, in order to prepare future attacks.
    I have no doubt that they have the resources to analyze the source code and find some ways to evade Kaspersky's detection.
    The most wanted target was probably Kaspersky's internal tools, which are not in the final product, like virus analyzers, detection algorithms, and also how they build their virus signatures.

    It's probable that the attackers also wanted to confirm the ties between Kaspersky and the Russian government.

    • by Joe Gillian ( 3683399 ) on Wednesday June 10, 2015 @06:36PM (#49887521)

      Kaspersky themselves said that the Duqu authors were probably using them as a "utility target" to gain more access to their main target, which is believed to be anyone involved in the negotiations over Iran's nuclear program. The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away. It could also be that they purposely attacked Kaspersky for two reasons: to gain information on their detection methods and find ways around them, but also to ensure that no one else gets infected (thus avoiding a possible scandal for a state actor behind the attacks if people unrelated to their targets get hit).

      I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date.

      • I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date

        I beg to differ

        My train of thought for this case runs more along the false flag rule, and that if Israel really wants to carry it out wouldn't it at least try to avoid identifying themselves?

        The fact that the attack was launched with the Auschwitz liberation date in mind tells us that someone else is behind the scheme --- as the Auschwitz liberation date has a permalink to Israel anyone who wants to frame Israel can do nothing less than to link an attack to that particular date

        And apparently it works --- r

        • As I said in another post, it's possible that Duqu was written by the NSA for their ally Israel, or more exactly for the Mossad.

          In other words, Duqu would be the second class attack vector, so it doesn't really matter if it gets caught.

          About the manipulation skills, I believe that you are biased towards Obama (I'm french and not really interested in politics).
          In fact, all political leaders need to develop their charisma and manipulation skills, otherwise they'll never be elected.
          At a national level, the man

      • by Anonymous Coward

        Duqu people fucked-up. Basically, they dumped huge payload (including totally unrelated SCADA attack modules) on a tightly monitored network. According to articles, Kaspersky's people are still wading through all that shit. One can infer a lot from highly specialized attack code.

      • The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away.

        I believe Israeli intelligence has a big budget for hacking. But not that big. Duqu 2 seems to have over 100 plugins. They burned three zero days on this attack. Much of the code is clearly an evolution of Duqu 1.0 which was being used years ago.

        It seems obvious that each

        • It's possible that Duqu was written by the NSA for their ally Israel.
          It would explain why the technology is less advanced that Equation Group.

          I think that you are right about Kaspersky.
          They may have been infected since a few months, but only noticed the attack recently.

          However, since they have been attacked, I doubt they'll share the signatures of the attacks to other vendors, so it'll be a huge marketing advantage for their product !

    • by evilrip ( 713562 )
      Kaspersky was likely targeted because they are very popular in that that part of the world: Russia, middle-east, so forth. Owning Kaspersky, if indeed it was a complete compromise, in effect means you can access data(potentially execute) from every single computer that runs Kaspersky software: you are in a position of trust at this point. Trust is a _dangerous_ thing in computer security terms, do not let this fool you. As most antivirus software will send home "suspecious" files for analysis, I expect th
      • by Anonymous Coward

        So now when I install Kaspersky's Russian government spyware, I get some Israeli government spyware on top?

        • by evilrip ( 713562 )
          If it makes you feel any better, that spyware was at least partially made in the U.S.A. :)
    • Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?

      Well duh. Free licenses to extend the trial version of course.

  • by Maltheus ( 248271 ) on Wednesday June 10, 2015 @07:09PM (#49887735)

    Coming so soon after revealing the NSA spyware in the firmware of hard drive manufacturers, care to wager any guesses over which out-of-control state sponsored this attack?

    • by IamTheRealMike ( 537420 ) on Thursday June 11, 2015 @04:23AM (#49889531)

      I thought that at first too. But if you read the reports more closely it strongly suggests this is Israeli intelligence, not NSA.

      One strong indicator of this is that Kaspersky already found and analysed the current-gen NSA malware platform, they call the NSA the "Equation Group" and the things linking it to the NSA are extremely strong, to the extent that known NSA codenames are found in the binaries. However they also say that they found at least one victim that was hacked by NSA and "Duqu 2" simultaneously. It wouldn't really make sense for the NSA to have two entirely duplicative/redundant malware development projects over such a long period of time.

      Additionally, various other things suggest Israeli intelligence, like timestamps and working hours indicative of Israel and the fact that one of the victims was linked to some anniversary of the liberation of Auschwitz.

  • Good, I wish nothing but hard times for them.

    https://grahamcluley.com/2014/... [grahamcluley.com]

  • They made a big mistake targeting Kapersky as they've given away most of their techniques. It does seem that someone went to an awful lot of trouble creating the malware. The_Mystery_of_Duqu_2_0 [securelist.com]
  • I had never seen a malware analyzed this thoroughly.
    the function name at page 39, The typo on page 44, and the list goes on.
    They found things you simply can't find in 18 Mega-bytes of executables which should mean like 3 Million SLOC of C code?
    I hate windoz, kaspersky, probably russians too, but... well done.

"The medium is the message." -- Marshall McLuhan

Working...