Kaspersky Lab Reveals Cyberattack On Its Corporate Network 73
An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."
Re: (Score:2)
no some one with a mac will successfully integrate, infiltrate and subjugate the malware... in terms of hollywood.
Re: (Score:2)
Why aren't they running OpenBSD? It's the only practical operating system to use in truly high-risk, high-security deployments.
DUH! Because Netcraft has confirmed that BSD is dying.
Re:Why aren't they running OpenBSD? (Score:5, Funny)
OpenBSD doesn't run those MSI files worth a darn. Someone should submit a patch
If only (Score:5, Funny)
If only they had an antivirus installed.
Re: (Score:2)
Did they not have a subscription to McCaffe? How embarrassing, there should be a free voucher around somewhere...
Hyperbole (Score:5, Insightful)
Kasperski must characterize the malware as ultra-advanced, targeted, government hacking. Otherwise they look like fools for being penetrated.
I'm not saying they are lying; I'm saying there is no way to tell, because their success as a company depends on them assuring everyone that they can competently defend against ordinary malware.
Re:Hyperbole (Score:4, Funny)
It would have been funnier if in front of 'network' was 'honeypot'. Not to mention more impressive competence wise.
"Yeah, that network you hacked? Those terabytes of data you stole? It was a honeypot network, we were having bets on what you'd do next, and the terabytes of data was all randomly generated using SCIGen and such. Oh, and 50% horse cock porn. You didn't rate midget porn."
Re: (Score:2)
That is completely unprofessional.
At most, it should be 5% horse cock porn so they have to look a bit harder to find it.
Re: (Score:2)
At most, it should be 5% horse cock porn so they have to look a bit harder to find it.
Good point. But I was picturing it being in any databases and such as well, thus inflating sizes and requiring analysis to access, at which point it's not until they try jpg encoding that they get the horse picture on their monitor. ;) So 10%?
Re: (Score:2)
Re: (Score:3)
They were probably aware that this would come up anyway so their PR department took action. To be hacked when you are a security focused company is hurting their image whatever advanced attack was used. I guess they were blackmailed that somebody will reveal information about breach so they took proactive but image hurting approach. Nevertheless it is curious.
Some technical explanation that I TL'DR as for now ;)
https://securelist.com/files/2... [securelist.com]
Re: (Score:3)
Come up how? Who the hell cares about hacking an anti-virus company except intelligence agencies anyway? They, at least for now it seems, aren't in the business of blackmailing companies in ways that could only lead directly back to them.
No way! This can only help their image, not hurt it.
Look. This attack spe
Re: (Score:3, Informative)
Sorry having fully read the report now I'm gonna guess that Duqu is more likely to be Israeli intelligence than the NSA. The report notes that at least one victim has been hacked by the "Equation Group" (very clearly NSA) and Duqu at the same time. Additionally the target list is things like anything to do with the Iranian nuclear program (very interesting to the Israelis) and also something to do with an anniversary of an event related to Auschwitz? Doesn't seem likely to interest the Americans. And appare
Re: (Score:2)
One could wonder... if they burned three zero days for essentially nothing... how many zero days do they have?
Re: (Score:1)
The Kaspersky source code (completely ignoring the presence of any exploitable bugs) wouldn't be much value to anyone other than Kaspersky. The mechanism behind virus scanners is pretty well known.
Re: (Score:1)
If you read the report, the details seem to back up their comments. I mean, I agree with at face value, but when they do provide quite a bit of details. You're welcome to look through them and determine for yourself if the attacks were trivial or advanced.
Re: (Score:1)
If they're not lying about it being based on Duqu, then you're just revealing how little you know about Duqu.
fuckin' George Lucas (Score:2)
Mighty suspicimous...
Re: (Score:2)
you know what would be funny?
if "Microsoft Software Installer" files the refer to would just be malware.msi and NOT the malware injecting itself into some other softwares msi files. which still sounds a bit lame and well, NOT VERY ZERO DAY method at all. sounds more like how viruses worked 20 years ago to be honest.
anyway. kaspersky.. the great tool that you need another tool to remove.
i'll be back (Score:2)
Comment removed (Score:4, Insightful)
Re: (Score:2)
Because they test and develop for Win machines. There other stuff is *nix based.
Re: (Score:2)
Re: (Score:1)
or you just have an acceptable amount of security in order to still perform day-to-day activities, and deal with the once in a while disaster...
fires, floods, loss of power, etc. whatever. unless you're a hospital or something it's pointless to worry so much about it. You can think of all the hypothetical money lost and this and that, but when it comes down to it, life and your next day isn't even a guarantee.
Re: (Score:3)
I agree 120%. It would be utterly ridiculous to have separate machines for testing & experimentation that are totally isolated from the ones you run your operations on.
Kapersky's 46 page report on incident (Score:5, Informative)
Re: (Score:1)
"In 2011, we were able to identify Duqu attacks that used Word Documents containing an exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious embedded TTF (True Type Font File). This exploit allowed the attackers to jump directly into Kernel mode from a Word Document, a very powerful, extremely rare, technique.
A similar technique and zero-day exploit ( 4CVE-2014-4148) appeared again in June 2014, as part of an
Re:Kapersky's 46 page report on incident (Score:5, Informative)
Have Kapersky considered running their business off of bootable CDs?
Read further down in the Fine Report, and you'll see why that strategy probably wouldn't have helped much. After the initial installation, the Command and Control network ran almost exclusively in RAM on Kaspersky's servers; the executable files were deleted to leave as few detectable traces as possible. Of course that meant the malware would be lost during a server reboot, so it depended on the actions of the other nearby servers that would eventually detect the rebooted server was uninfected, and would then re-infect it. And just in case Kaspersky's admins rebooted all servers simultaneously, wiping out the entire C&C system, they left a back door open in the form of a few unimportant PCs infected with persistent malware that would simply launch reverse tunneling proxies at startup. The attackers would have been able to reenter the network without needing to phish them again.
Re: (Score:1)
This... is kind of nuts. How in the hell can people expect to defend against this level of sophistication? The sheer man hours that went into this is a pretty good indicator that it was probably state sponsored.
In terms of Hollywood? (Score:3)
Re: (Score:2)
What is the new attack like, in terms of Muppets?
In the aftermath of the attack, Oscar the Grouch mistook their lab for his home.
Test run (Score:5, Funny)
Ah, so the Russians tested on themselves before deploying to Germany.
Re:Test run (Score:4, Insightful)
Have a look at the report, if it is to be believed then all fingers point to Israel...
Re: (Score:3)
Keep reading the report, and you'll see that they doubled back and covered their other tracks several times. Scheduling the malware activity levels to coincide with Israel's work week would be in keeping with the other forms of camouflage and diversion that were employed by Duqu 2.0's operators, and prove almost nothing at all.
Various leaks after the fact strongly implicated Israel was responsible for Stuxnet (including a YouTube video of an IDF general being congratulated on his team's creation of the mal
Re: (Score:2)
The report says that at least one victim has been targeted by Equation Group (NSA) and Duqu simultaneously. The targeting of something related to a WW2 anniversary also strongly suggests Israel.
Re: (Score:3)
And why would a Russian firm have an interest in doing so...? Oh wait.
There are plenty of top-notch cybersecurity firms across the globe. How does Kapersky magically track down all these threats that others do not, and how are they all coincidentally coming from enemies of their greatest military customer, Iran?
If you honestly think that a country the size of Israel is more active in this area than the rest of the world combined, I suggest you take a second look.
What was the goal ? (Score:5, Interesting)
Why did the attacker sacrificed such a nice tool ? And to obtain what kind of information ?
My hypothesis is that the attackers wanted to retrieve all source code from Kaspersky Labs, in order to prepare future attacks.
I have no doubt that they have the resources to analyze the source code and find some ways to evade Kaspersky's detection.
The most wanted target was probably Kaspersky's internal tools, which are not in the final product, like virus analyzers, detection algorithms, and also how they build their virus signatures.
It's probable that the attackers also wanted to confirm the ties between Kaspersky and the Russian government.
Re:What was the goal ? (Score:5, Interesting)
Kaspersky themselves said that the Duqu authors were probably using them as a "utility target" to gain more access to their main target, which is believed to be anyone involved in the negotiations over Iran's nuclear program. The people from Kaspersky posited the idea that Duqu has no value to the people who wrote it - likely because by the time they attacked Kaspersky, they had already infected the people they were really after and could safely throw it away. It could also be that they purposely attacked Kaspersky for two reasons: to gain information on their detection methods and find ways around them, but also to ensure that no one else gets infected (thus avoiding a possible scandal for a state actor behind the attacks if people unrelated to their targets get hit).
I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date.
This one has NSA's fingerprint all over it (Score:1, Interesting)
I'm with the camp that thinks Israel is behind it. It only makes sense, given their involvement with Stuxnet and their high level of interest in Iran's nuclear program, plus the connection with the Auschwitz liberation date
I beg to differ
My train of thought for this case runs more along the false flag rule, and that if Israel really wants to carry it out wouldn't it at least try to avoid identifying themselves?
The fact that the attack was launched with the Auschwitz liberation date in mind tells us that someone else is behind the scheme --- as the Auschwitz liberation date has a permalink to Israel anyone who wants to frame Israel can do nothing less than to link an attack to that particular date
And apparently it works --- r
Re: (Score:2)
As I said in another post, it's possible that Duqu was written by the NSA for their ally Israel, or more exactly for the Mossad.
In other words, Duqu would be the second class attack vector, so it doesn't really matter if it gets caught.
About the manipulation skills, I believe that you are biased towards Obama (I'm french and not really interested in politics).
In fact, all political leaders need to develop their charisma and manipulation skills, otherwise they'll never be elected.
At a national level, the man
Re: (Score:1)
Duqu people fucked-up. Basically, they dumped huge payload (including totally unrelated SCADA attack modules) on a tightly monitored network. According to articles, Kaspersky's people are still wading through all that shit. One can infer a lot from highly specialized attack code.
Re: (Score:2)
I believe Israeli intelligence has a big budget for hacking. But not that big. Duqu 2 seems to have over 100 plugins. They burned three zero days on this attack. Much of the code is clearly an evolution of Duqu 1.0 which was being used years ago.
It seems obvious that each
Re: (Score:2)
It's possible that Duqu was written by the NSA for their ally Israel.
It would explain why the technology is less advanced that Equation Group.
I think that you are right about Kaspersky.
They may have been infected since a few months, but only noticed the attack recently.
However, since they have been attacked, I doubt they'll share the signatures of the attacks to other vendors, so it'll be a huge marketing advantage for their product !
Re: (Score:1)
Re: (Score:1)
So now when I install Kaspersky's Russian government spyware, I get some Israeli government spyware on top?
Re: (Score:1)
Re: (Score:2)
Well duh. Free licenses to extend the trial version of course.
Payback for Outting NSA Spyware? (Score:5, Interesting)
Coming so soon after revealing the NSA spyware in the firmware of hard drive manufacturers, care to wager any guesses over which out-of-control state sponsored this attack?
Re:Payback for Outting NSA Spyware? (Score:4, Interesting)
I thought that at first too. But if you read the reports more closely it strongly suggests this is Israeli intelligence, not NSA.
One strong indicator of this is that Kaspersky already found and analysed the current-gen NSA malware platform, they call the NSA the "Equation Group" and the things linking it to the NSA are extremely strong, to the extent that known NSA codenames are found in the binaries. However they also say that they found at least one victim that was hacked by NSA and "Duqu 2" simultaneously. It wouldn't really make sense for the NSA to have two entirely duplicative/redundant malware development projects over such a long period of time.
Additionally, various other things suggest Israeli intelligence, like timestamps and working hours indicative of Israel and the fact that one of the victims was linked to some anniversary of the liberation of Auschwitz.
Good! (Score:2)
Good, I wish nothing but hard times for them.
https://grahamcluley.com/2014/... [grahamcluley.com]
A mistake targeting Kapersky .. (Score:1)
Holly fucking shit (Score:2)
the function name at page 39, The typo on page 44, and the list goes on.
They found things you simply can't find in 18 Mega-bytes of executables which should mean like 3 Million SLOC of C code?
I hate windoz, kaspersky, probably russians too, but... well done.