US or allies apparently hacked leading cybersecurity firm Kaspersky Lab

By | June 12, 2015

US or allies apparently hacked leading cybersecurity firm Kaspersky Lab

One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers.

Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.

It said the intrusion involved up to three previously unknown techniques.

The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.

Although it acknowledged that the attackers had managed to access some of its files, it said that the data it had seen was “in no way critical to the operation” of its products.

“Spying on cybersecurity companies is a very dangerous tendency,” said the company’s chief executive Eugene Kaspersky.

“The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly.

“We will always report attacks regardless of their origin.”

Kaspersky Lab said that it had detected the breach in the “early spring”, and described it as “one of the most sophisticated campaigns ever seen”.

The malware does not write any files to disk, but instead resides in affected computers’ memory, making it relatively hard to detect.

Kaspersky linked the attack to the unidentified creators of an earlier Trojan named Duqu, which made headlines in 2011 after being used in attacks on Iran, India, France and Ukraine.

As before, the hackers are said to have exploited Microsoft software to achieve their goal.

Last time they made use of a flaw in Word.

This time, Kaspersky said, the malware was spread using Microsoft Software Installer files, which are commonly used by IT staff to install programs on remote computers.

“This highly sophisticated attack used up to three zero-day [previously unknown] exploits, which is very impressive – the costs must have been very high,” commented Costin Raiu, director of Kaspersky Lab’s global research and analysis team.

He warned that the firm had evidence “Duqu 2.0” attacks had also been made on other targets, including several venues used for talks between Iran and the West about Iran’s nuclear programme.

The chief research officer of a rival computer security firm said he had had only a brief chance to look into the allegations, but added that it did appear to be a “big deal”.

“Duqu 2.0 seems to be the biggest [cybersecurity] news of the year so far – it’s major new malware from a major source,” said Mikko Hypponen, chief research officer at F-Secure.

“But we have previously seen security companies used as a way to reach other targets.

“The prime example of this was RSA, which got hacked four years ago, when we believe the target was a defence contractor in the US, which used RSA’s technology.”

Kaspersky said that it was “confident” that its clients and partners remained safe.

A Russian cyber security firm says it has discovered a highly-sophisticated, "almost invisible" cyber espionage tool that targeted the company's own servers, as well as systems around the world, including some linked to the controversial Iranian nuclear negotiations.

The Moscow-based firm Kaspersky Labs announced today the discovery of the worm, dubbed Duqu 2.0, which the company said it found this spring after the worm had been slinking through its system for "months."

"The attack was very complicated, very smart… [But] come on, it's stupid to attack a cyber-security company," Kaspersky founder and CEO Eugene Kaspersky told reporters in London. "Sooner or later, we'll find it anyway."

When the company sought out other victims of the sneaky attack, Kaspersky said on its website that it found some of the "infections are linked to the P5+1 events and venues related to negotiations with Iran about a nuclear deal."

Researchers have identified a new malware threat which has been dubbed “Duqu”. The new threat is apparently developed by the same author who developed the Stuxnet worm that was used in targeted attacks against Iranian nuclear power plants, but Duqu has its sights set on a completely different target.

Independent researchers in Europe have shared the malware code with researchers at McAfee and Symantec, and all parties agree that Duqu is built on the same source code as Stuxnet. A blog post from Symantec explains, “Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered.”

The nature of the Stuxnet worm and the infiltration of Iranian nuclear facilities has led to speculation about whether the worm was developed by the United States or its allies expressly for that purpose.

The Pentagon response to the implication is the standard cagey reply given for just about anything related to national security or military engagements. Fox News reports that, “Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.”

McAfee AVERT Labs has a thorough analysis of the Stuxnet worm which explains the threat in detail. “Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729). It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.”

More details:

In order to sneak onto Kaspersky’s system, alleged Israeli hackers used a digital certificate stolen from leading tech manufacturer Foxconn. The post Attackers Stole Certificate from Foxconn to Hack Kaspersky With Duqu 2.0 appeared first on‚Ķ

Attackers Stole Certificate from Foxconn to Hack Kaspersky With Duqu 2.0

The nation-state malware used to hack the Russian security firm Kaspersky Lab, as well as hotels associated with Iranian nuclear negotiations, used a digital certificate stolen from one of the world's top electronics makers: Foxconn.

The Taiwanese firm makes hardware for most of the major tech players, including Apple, Dell, Google, and Microsoft, manufacturing the likes of iPhones, iPads and PlayStation 4s. Taiwanese companies have been fruitful for this hacking group, who many believe to be Israeli: This marks at least the fourth time they have used a digital certificate taken from a Taiwan-based firm to get their malware successfully onto systems.

It's unclear why the attackers focus on digital certificates from Taiwanese companies, but it may be to plant a false flag and misdirect investigators into thinking China is behind the malware attacks, says Costin Raiu, director of Kaspersky's Global Research and Analysis Team.

A Hack That Undermines All Software

The strategy of stealing and corrupting otherwise-legitimate certificates is particularly galling to the security community because it undermines one of the crucial means for authenticating legitimate software.

Digital certificates are like passports that software makers use to sign and authenticate their code. They signal to browsers and computer operating systems that software can be trusted. But when attackers use them to sign their malware "the whole point of digital certificates becomes moot," says Costin Raiu, director of Kaspersky's Global Research and Analysis Team.

In order to sign malware with a legitimate digital certificate, the attackers have to steal the signing certificate a company uses for its software. This requires the attackers to first hack these companies.

The attack against Kaspersky, dubbed Duqu 2.0, is believed to have been conducted by the same hackers responsible for a previous Duqu attack uncovered in 2011. They are also widely credited with playing a role in Stuxnet, the digital weapon that attacked Iran's nuclear program. While Stuxnet was likely created jointly by teams in the US and Israel, many researchers believe Israel alone created Duqu 1.0 and Duqu 2.0.

In all three attacks–Stuxnet, Duqu 1.0 and Duqu 2.0–the attackers employed digital certificates from companies based in Taiwan.

Two digital certificates were used with Stuxnet–one from RealTek Semiconductor and one from JMicron–both companies located in the Hsinchu Science and Industrial Park in Hsinchu City, Taiwan. Duqu 1.0 used a digital certificate from C-Media Electronics, a maker of digital audio circuits located in Taipei, Taiwan. Foxconn, from which the fourth digital certificate was stolen, is headquartered in Tucheng, New Taipei City, Taiwan, about 40 miles away from RealTek and JMicron.

The fact that the attackers appear to have used a different certificate in each attack, instead of re-using the same certificate in multiple attack campaigns, suggests they have a stockpile of stolen certs. "Which is certainly alarming," says Raiu.

Why the Attackers Needed the Certificate

Duqu 2.0 targeted not only Kaspersky, but also some of the hotels and conference venues where the UN Security Council held talks with Iran about its nuclear program.

The Foxconn certificate had been found only on Kaspersky's systems until a few days ago when someone uploaded a driver file to VirusTotal. VirusTotal is a Web site that aggregates multiple antivirus scanners. Security researchers and anyone else can submit suspicious files to the web site to see if any of the scanners detect it. The driver file uploaded to VirusTotal had been signed with the same Foxconn certificate, suggesting that another victim of Duqu 2.0 has found it on their system as well. Because submissions to VirusTotal are made anonymously, it's not known who found the malicious file on their system.

In the case of the attack on Kaspersky, the hackers used the Foxconn certificate to sign and install a malicious driver on a Kaspersky server. The server was a 64-bit Windows server. The latest 64-bit versions of the Windows operating system don't allow drivers to install unless they are signed with a valid digital certificate.

VirusTotal submissions are made anonymously? I don’t think that part is correct. (See VirusTotal Privacy Policy). They may need to say this because otherwise Google will know more about the attack on Kaspersky than they might care to divulge:

Google, a long-time partner, acquired VirusTotal in 2012.

The unspoken allegation is that this was done by the NSA or similar organization. NSA insider Snowden confirmed that according to the site RT:

The Stuxnet virus that decimated Iranian nuclear facilities was created by the NSA and co-written by Israel, Edward Snowden has confirmed. The whistleblower added the NSA has a web of foreign partners who pay "marginal attention to human rights."

In an interview with Jacob Applebaum published in German daily Der Spiegel on Monday, Snowden stated that the US and Israel were behind the computer worm. Stuxnet infiltrated Iranian nuclear facility networks in 2009-2010 and was used to change the speed of thousands of gas-spinning centrifuges, sabotaging nuclear research.

Washington and Tel Aviv were thought to have been behind the cyber-attack, however, this was never confirmed by either government.

"The NSA and Israel wrote Stuxnet together," Snowden told Applebaum in the interview that was carried out in May.

Snowden stressed that the National Security Agency (NSA) often cooperates with foreign partners through a special body known as the Foreign Affairs Directorate (FAD). Referring to Britain, Australia, New Zealand and Canada, also known as the 'Five Eye Partners,' he said their practices often go further than those of the NSA.

In particular he flagged the system used by the UK's General Communications Headquarters (GCHQ), TEMPORA as one of the worst offenders.

"TEMPORA is the signals intelligence community’s first 'full-take' internet buffer that doesn’t care about content type and pays only marginal attention to the Human Rights Act," said Snowden.

The UK buffer is able to hold a vast quantity of internet data for up to three days, said the whistleblower.

"You should never send information over British lines or British servers. Even the Queen's 'selfies' with her lifeguards would be recorded, if they existed." …

One theory is that there is a tap into the fiber optic cables under the ocean and that’s how they get everything.

Thu Sep 6, 2007AIPEI, Sept 7 Two strong earthquakes rattled Taiwan’s capital and the north of the island on Friday, disrupting communications though no casualties or serious damage were reported.

Last December, a series of earthquakes off Taiwan damaged eight undersea cables, knocking millions of Internet users offline and disrupting banking services from Seoul to Sydney.

Chunghwa Telecom (2412.TW), Taiwan’s top telecommunications carrier, said an undersea cable to Japan was damaged and was under repair.€  …

If one of those fiber optic cables belongs to the NSA, you just put an insider in the repair position and use a splitter to send the data back along that cable.

While tapping undersea cables sounds a bit James Bond-esque, the truth is more impressive than fiction. Again, from the Atlantic:

The easiest place to get into the cables is at the regeneration points — spots where their signals are amplified and pushed forward on their long, circuitous journeys. “At these spots, the fiber optics can be more easily tapped, because they are no longer bundled together, rather laid out individually,” Deutsche Welle reported.

But such aquatic endeavors may no longer even be necessary. The cables make landfall at coastal stations in various countries, where their data is sent on to domestic networks, and it’s easier to tap them on land than underwater.

The next step in the process is almost unbelievable given the name of the NSA's Internet surveillance program: PRISM. According to the story in the Atlantic, the snoops use an actual prism to collect the data and keep those on the look out for interception off the agency's trail. Olga Khazan reports:

The tapping process apparently involves using so-called “intercept probes.” According to two analysts I spoke to, the intelligence agencies likely gain access to the landing stations, usually with the permission of the host countries or operating companies, and use these small devices to capture the light being sent across the cable. The probe bounces the light through a prism, makes a copy of it, and turns it into binary data without disrupting the flow of the original Internet traffic.

So breaking into buildings or servers isn’t needed. This makes the recent fiber optic cable sabotage in Livermore a bit more interesting.

The FBI is calling 11 separate attacks on fiber-optic cables in the Bay Area since July 2014 vandalism, but they have no idea who the perpetrators are. Could be pranksters, jihadists or a government conspiracy.

They would have figured it out by now in Texas, where right-wing internet is good at crowdsourcing these kinds of mysteries. An attack on fiber optics would be an assault on the heart of their networked strength and Lone Star sovereignty.

For now, it's just a mystery in California, though a bit of an unnerving one. The latest incident happened on Tuesday when someone broke into an underground vault in Livermore, 40 miles southeast of San Francisco, and cut three cables. Phone service, television and internet connections were affected in Sacramento.

Among those impacted were Level 3 Communications, Zayo Group and Wave Broadband, which uses the fiber-cable of the other two to provide its service. A statement from Wave Broadband said the incident was part of a "coordinated attack." The FBI disputes that, for now, but speculated that the "individuals may appear to be normal telecommunications maintenance workers or possess tools consistent with that job role."

Leave a Reply