Duqu 2.0: Securing Secure Certificates

Monday, June 15, 2015 @ 02:06 PM gHale

By Gregory Hale
The idea of securing secure certificates is now coming into question as Duqu 2.0 used legitimate digital certificates issued by Foxconn – an electronics contract manufacturer across the globe – to hack into other organizations.

Duqu 2.0 is back on the prowl looking for intellectual property theft, said researchers at Kaspersky Lab, who discovered the new version of the attack as their own systems were under assault from the advanced persistent threat (APT).

‘Skilled’ New Duqu APT Launches
Duqu Still at Work
Attacker ‘Hides in Plain Sight’
Oil Industry Under Attack

Kaspersy’s analysis found the top goal of the attackers was to spy on technologies, ongoing research and internal processes, with no interference with processes or systems.

With further analysis, researchers found by using legitimate certificates can allow attackers to surreptitiously deliver malicious software on victim’s devices without security solutions noticing, just like if it was legitimate software.

Kaspersky Lab researchers have clues the Duqu attacker was able to get access to multiple certificates and there is evidence they tend not to use the same certificates in different attacks. It is always a new unique one.

“The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme,” said researchers on their blog post. “This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.

“During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: Access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.

“In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based ‘knocking’ mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: ‘romanian.antihacker’ and ‘ugly.gorilla.’”

While Duqu developers found a way through the communication process, Kasperskey researchers delved deeper into the pilfered digital certificates.

“During our previous research into Stuxnet and Duqu we have observed digitally signed malware (using malicious Jmicron and Realtek certs), the researchers said. “Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers. We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when we observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers.

“Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.”

Kaspersky Lab researchers discovered the company wasn’t the only target of this attacker.

Other victims were in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections link to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The Duqu team appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. Similar to the P5+1 events, there were quite a few foreign dignitaries and politicians in attendance.