Duqu 2.0: ICS Needs New Approach
Wednesday, June 24, 2015 @ 02:06 PM gHale
By Gregory Hale
Bad guys were able to steal legitimate secure digital certificates to help them get into systems, so questions remain on just how vulnerable would industrial control systems be under that scenario.
The idea of securing secure certificates is now coming into question as Duqu 2.0 used legitimate digital certificates issued by Foxconn – an electronics contract manufacturer across the globe – to hack into other organizations.
Duqu 2.0 is back on the prowl looking for intellectual property theft, said researchers at Kaspersky Lab, who discovered the new version of the attack as their own systems were under assault from the advanced persistent threat (APT).
“The use of digital certificates maliciously should come as no surprise based on what we have seen over the past five or more years,” said Joel Langill, an independent security researcher, consultant, creator of the website SCADAhacker.com. “Stuxnet made it very clear that these can be used as viable attack vectors and allow the installation of malicious software without detection from traditional security means.”
Kasperskey researchers found by using legitimate certificates, it can allow attackers to surreptitiously deliver malicious software on victim’s devices without security solutions noticing, just like if it was legitimate software.
“The main risk I see to industrial control systems is that since these systems are relatively decoupled from traditional office networks, the revocation of digital certificates from certificate authorities is very difficult to replicate down to the ICS assets connected to industrial networks,” Langill said. “In other words, the certificates do not appear to be revoked within a timely manner.”
The catch is users need to learn from the incidents and understand what they should do and sometimes that means not doing the standard measure.
“I would hope that with Duqu2 and Stuxnet both being targeted attacks that include industrial control system assets, that asset owners, end-users, vendors and suppliers will start to realize the importance of moving beyond traditional tactical security controls like patch management and certificate revocation, to more strategic controls like using application control and whitelisting methods in defending against tomorrow’s threats,” Langill said. “It is disturbing that some ICS suppliers today have not fully endorsed the use of whitelisting technologies with their industrial architectures.
In short, whitelisting only allows approved applications to enter the network. There has been some slowness from end users in adopting it. One reason is because it is harder to implement than things like perimeter security and sometimes people default to the easier solution.
Whitelisting is not the only answer, but it is a solid technology that would dovetail nicely into a industrial control system network.
“Strategic controls offer more resilience to evolving threats that are coming through sophisticated threat actors by not depending on knowledge that originates external to your security perimeter,” Langill said. “By identifying a safe and secure baseline fingerprint, that can be used to detect anomalies very quickly within the secure industrial networks.”
Kaspersky Lab researchers discovered the company wasn’t the only target of this attacker.
Other victims were in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections link to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.
The Duqu team appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. Similar to the P5+1 events, there were quite a few foreign dignitaries and politicians in attendance.