Tuesday, 16 June 2015

Attackers used Kaspersky certificate Foxconn

The attackers internal network anti-virus firm Kaspersky Lab infiltrated using a valid digital certificate from the Chinese company Foxconn to sign their malware. Foxconn is the largest electronics manufacturer in the world and produces, among other products for Apple, Dell and Cisco.

Last week Kaspersky Lab announced that attackers had managed to get malware on the internal network. It was a new variant of the highly advanced Duqu malware called Duqu 2.0. Duqu 2.0 hides the memory of infected computers. If the machine is restarted and malware consequently disappears, the computer via a compromised server again infected. For this, the attackers use special drivers.

During the operations, the attackers installed these drivers on firewalls, gateways and other servers with direct access to the Internet on one side and access to the company on the other side. In this way, the attackers managed to achieve various goals, such as accessing the internal infrastructure from the Internet, ensure that they appeared in the logs of the proxy servers and computers could contaminate permanently.


For 64-bit Windows versions is mandatory that drivers digitally signed are. Researchers from Kaspersky Lab also looked surprised when she saw that one of the drivers discovered had been signed by a valid certificate of Foxconn. The same certificate in February 2013 was still used by the manufacturer for the signings of several drivers for Dell laptops. Using valid digital certificates is not new. Previously this was discovered Stuxnet and the first version of Duqu.

"The steal of digital certificates and signing of malware in the name of legitimate businesses is a proven method of Duqu attackers," said researchers at Kaspersky Lab. How the attackers managed to get the Foxconn certificate is unknown.However, the researchers attackers seem to have a preference for hardware manufacturers, as were used in Stuxnet and Duqu 1.0 certificates from Realtek and Jmicron.


What is also striking is that the attackers did not use the same certificate twice. Something that at first Duqu version was the case. "If this is the case, this means that the attackers may have sufficient alternative digital certificates stolen from other manufacturers that are ready to be used in the next targeted attack," said the researchers. Which warn that it would be very worrying, as it undermines confidence in digital certificates. Meanwhile, would both certificate issuer Verisign Foxconn been notified of the certificate in question.

No comments:

Post a Comment