Thursday 11 June 2015

Anti-virus Firm Kaspersky Victim Of Cyber Espionage


The Russian anti-virus firm Kaspersky Lab earlier this year become victims of cyber espionage in which various internal systems with advanced malware became infected. For spreading the malware, which was discovered during an internal security check with a new product, the attackers used an unknown vulnerability in the Windows kernel, which Microsoft patched yesterday. In addition, the virus-fighter does not exclude that there are two different zero-day vulnerabilities used have been patched at this time.

The original attack vector is as yet unknown, although the attackers probably used a spear phishing email. In one of the first casualties which showed that his mailbox and browsing history was erased to hide traces of the attack. Since the infected machines were fully patched Kaspersky believes that an unknown vulnerability is attacked. The attack on the corporate network would have no impact on the anti-virus software or the company's customers.

According to Kaspersky the attackers were interested in the intellectual property of the virus fighter, as well as the company's technology to the espionage attacks detects and analyzes. Kaspersky said in a statement that the decision of the attackers to carry out the attack was probably very difficult, as it would certainly be discovered. "Attacking security companies indicate that they have a lot of confidence that they will not get caught, or maybe they do not care if they are discovered."

To be discovered malware mainly hid in the memory of infected computers. Restarting the computer would mean in this case is that the infection disappeared. In order to infect computers still infected permanently attackers servers in the network with a high up-time, which then infected computers in the domain. This approach has the disadvantage that all computers and servers would be disinfected by a power failure. Therefore, drivers installed on a small number of computers. These drivers can traffic from outside the network tunneling toward the inside. The attackers were so connect via remote desktop sessions or from previously stolen credentials to login servers.

United States

The attack is according to Kaspersky Lab performed by the group that previously made ​​it very sophisticated Duqu virus. The Duqu virus was linked to the organization that developed Stuxnet. According to several experts, Stuxnet made ​​by the US government to disrupt Iran's nuclear program. Several sophisticated espionage operations that have been attributed to the US government in recent years were published by Kaspersky Lab.

Also in the case of Duqu 2.0, such as used malware is mentioned, there is according to the Russian anti-virus company existence of an attack performed by a state. This type of campaign could be only a costly and require a lot of resources. The framework in which Duqu 2.0 is built is estimated to cost $ 50 million. In addition, the dependence of the platform of zero-day vulnerabilities remarkable. Duqu 2.0 is also not designed for financial motives, as with much malware cybercriminals is the case.

In addition to Kaspersky Lab, the malware was also used against other targets. Worldwide, would have been observed less than one hundred infections. The Duqu first version it was less than fifty goals. Victims of version 2.0 are located in Western countries, the Middle East and Asia. As in 2011, would Duqu 2.0 and aim to spy on Iran's nuclear program. Symantec reports that include European and North African telecom provider via the malware attacked, as well as a manufacturer of electronic equipment in South East Asia.

DUQU 2.0 Indicators:

Action loaders:


C&C IPs:

No comments:

Post a Comment