In light of Sir Christopher Lee’s passing, it seems only fitting that we make a nod in his general direction to talk about the most recent attack by our good friend: Duqu. That’s right, HackerAttackers – There has been another Duqu cyber attack. Duqu is back, and it’s breaking out the big guns with 2.0. Like its apparent namesake (though, personally, Dooku looks a lot more villainy), Duqu 2.0 is a master of disguise, infiltration and covering its tracks. We’ve spoken before about the nature of cyber warfare in the digital age, and Duqu 2.0 is a prime example of the evolution of this threat. Threats such as the Stuxnet virus, and Flame are pushing the envelope for what we consider traditional spycraft and covert war. The Duqu cyber attack is the most recent, home-based instance of cyber warfare to point out the need for stronger security, and above all, a more penetrating awareness of the threats of our digital age.
The Legacy of the Duqu Cyber Attack – Predecessors and Mentors
I’ve personally noted this before, but Star Wars is rife
with real-world parallels and lessons to be learned, even when it comes to authentication
and information security. There is
something to be said about the pre-Disney era of science fiction and fantasy
and how it was able to resonate with so many individuals. There are more similarities to this attack
than simply the phonetics of a name: Duqu 2.0 is an advanced threat working in
a manner just like the Sith lords we’ve come to both love and hate.
 |
| Courtesy of: Secmeme.com |
The most obvious origin story for Duqu 2.0 goes back further
than it’s initial version. In fact, they didn’t even have the same name –Stuxnet. If you haven’t seen the news or the reviews about the
Stuxnet attacks, you should check it out, but here are some of the
highlights.
·
Physically damaged hardware
·
Targeted Iranian Nuclear Facilities
·
Used multiple origin points
·
Led to the discovery of a print-spooler zero-day
exploit
·
Illustrated the first major dedication towards a
digital manner of attack
So as you can see, the Duqu cyber attack story has a complex
and very sordid beginning. There is a
reason that publications such as Wired.com hail Stuxnet as the ‘World’s
first digital weapon;’ not only did it make one of the first major digital
attacks for obvious political motivations, it also illustrated the various
methods digital attackers can use to spread their weapon of choice. Stuxnet spread like wildfire thanks to a
‘patient zero’ style attack – turning major companies into carriers that
multiplied rapidly, increasing the chance of infecting the target
exponentially. Think every recent zombie
movie – only this was localized within the cyber world.
From this origin – it isn’t hard to see where Duqu got its
inspiration.
Kaspersky Labs is kind of the lead on Stuxnet and Duqu; and
for good reason – they have put in a lot of time and resources, keeping the
public in the loop the entire way.
Through their SecureList blog, Kaspersky illustrates the connection between
Duqu and Stuxnet in surprising detail.
You can check it out Here.
Stuxnet took the world by storm in early 2010. The initial Duqu cyber attack happened barely
a year later in 2011, with all of the pomp and circumstance you would
expect.
Duqu isn’t just guessed at being related to Stuxnet – thanks
to some very in-depth analysis by Kaspersky on the Duqu cyber attack, it is
clear now that the two digital weapons were created by
the same people. Both weapons
illustrate multiple instances of similar code and processes that show their
origins quite clearly. The way Kaspersky
writers put it, “Duqu and Stuxnet are like Windows and Office. Both are from
Microsoft, although different people might have worked on them.”
So clearly, some people really do want to watch the world
burn.
Like the character of the recently deceased Sir Christopher
Lee, Duqu was an informational gathering machine. It was incredibly difficult to detect once it
infiltrated the system: it was constructed specifically to target and control
the certificates that handled that process.
Its predecessor may have been intended primarily to hinder or destroy
physical machinery, but Duqu was sent out to hide in plain sight – gathering
every single byte of information it could get its digital hands on.
Duqu was the file that convinced the system that it was
safe, just to steal everything when the system wasn’t looking. Something tells me that Palpatine would be
extraordinarily proud.
Like something from a Mission
Impossible film, the Duqu cyber attack instances ceased and Duqu went silent
in 2012. It didn’t stay that way.
Duqu 2.0 – The Second Coming
Once again, Iran seems to be the prominent target for the
Duqu cyber attack scene. The majority of
Duqu 2.0 infections are linked back to events relating to the Iranian nuclear
negotiations, according to Kaspersky’s
SecureList blog. Interestingly
enough, the new variation was only detected because the attackers decided to
deploy it against Kaspersky directly.
Though having no relation to Iran or their nuclear program,
Kaspersky is a major player in the APT game, and played a major role in the
cessation of the initial run of Duqu cyber attacks. Given that one of the original Duqu cyber
attack goals was to provide false certification to bypass security checks, it
doesn’t seem too shocking that Duqu 2.0 would attempt to sink its teeth into
the very corporation that works to detect false security certificates, and brought
about their initial downfall.
It seems, however, that this particular Duqu cyber attack
bit off more than it can chew.
Duqu 2.0 attacked in waves.
Much like actual warfare, the initial phase spent much effort on
undetectable infiltration (Read: infection).
Using a previously unknown zero-day vulnerability (CVE-2014-4148),
Duqu was able to mirror the attack used in the original Duqu cyber attack. From this stage, Duqu launches a dual front
attack: observing and infecting the remainder of the computers on the
network. In this particular stage, Duqu
2.0 made use of yet another zero-day vulnerability (CVE-2014-6324)
– allowing unprivileged domain users to elevate their credentials to
administrator levels. From here, it was
a relatively simple matter to spread the infection remotely throughout the
domain.
Note that since this discovery, both vulnerabilities have
been patched.
If you would like to learn more about the anatomy of the
virus, and how it relates to the original Duqu cyber attack, check out the Kaspersky
Technical Paper.
Silver Linings – a Light to Dull the Dark Side.
Given the nuclear origins of this series of cyber attacks,
there is naturally a sense of fear associated with the news. The Duqu cyber attack (along with Stuxnet) truly
illustrates the importance of constantly observing and safeguarding your
network – and the dedication which attackers will employ to discover new
vulnerabilities. It is this sort of
attack that illustrates not only the danger of serious black hat hackers, but
also the importance of white hat hackers to assist with building an appropriate
defense.
In this case, Kaspersky is the group of white hat hackers,
keeping the public in the loop in order to increase protection worldwide. I do not think it was a coincidence that the
C&C servers hosting each instance of Duqu have since been taken
offline.
As a society, we are reaching towards a supremely digital era
at an increasingly rapid pace. We go so
far as to give over pieces of ourselves to access more digital content and
usability in order to better benefit our daily lives. The further we delve down this rabbit hole,
the more danger we are surrounded by.
The Duqu cyber attack is an example of a terrible use of the digital
age, for sure, but it also exemplifies a certain silver lining, or Bright Side.
With each new attack, and each new successful defense, we
learn more about the vulnerabilities inherent in our own creations, and how
better to rectify those mistakes in the future.
One need only look to what Deloitte managed with its Mock
Cyber attack – Learning from previous attacks and the fallout of each, the
company was able to better train all employees (as opposed to just members of
the IT field) in the art of defending against and responding to breaches and attacks.
Each cyber attack is a trial by fire that our society plows
through, emerging singed but whole – more resistant than ever before. Yes, Count Dooku turned to the Dark Side and
led Anakin down the path to become Darth Vader, but those events illustrated
the faults in the Jedi Code, paving the way to a brighter, stronger
future. The Duqu cyber attack is
definitely a black mark of the digital age, as was Stuxnet before it. With the help of security experts and an ever-expanding
knowledge of the dangers of the digital world, we take down these threats one
by one, growing stronger in our defenses every day.
No comments:
Post a Comment