Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky discovers and unveil Duqu 2.0


  • Please log in to reply
7 replies to this topic

#1 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 10 June 2015 - 09:03 AM

The bad news is that we discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploited several zero-day vulnerabilities, and were quite confident that theres a nation state behind it. Weve called it Duqu 2.0. Why Duqu 2.0 and what it has in common with the original Duqu? See here.


Source: https://blog.kaspersky.com/kaspersky-statement-duqu-attack/

Related articles:

https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back
http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/
http://media.kaspersky.com/en/Duqu-2-0-Frequently-Asked-Questions.pdf

Things are about to get interesting if Duqu is making a comeback.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:06 AM

Posted 10 June 2015 - 09:25 AM

For the employees of the Russian firm Kaspersky Lab, tracking down computer viruses, worms and Trojans and rendering them harmless is all in a day's work. But they recently discovered a particularly sophisticated cyber attack on several of the company's own networks. The infection had gone undetected for months.

Company officials believe the attack began when a Kaspersky employee in one of the company's offices in the Asia-Pacific region was sent a targeted, seemingly innocuous email with malware hidden in the attachment, which then became lodged in the firm's systems and expanded from there. The malware was apparently only discovered during internal security tests "this spring."

The Worm Turns: Virus Hunter Kaspersky Becomes the Hunted

As usual... the weakest link in the chain of security is always the user.

#3 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 10 June 2015 - 09:34 AM

That employee might be only a secretary or else too sadly.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 10 June 2015 - 11:27 AM

From the article "...Even if it does hurt ‘reputation’ – I don’t care. Our mission is to save the world, and that admits no compromise."

 

Good on them, then.

 

I guess I am not shocked, between Stuxnet, Flame, Duqu, Equation, Cleaver, etc., etc., etc. APTs or DHAs (whichever you prefer) are just a fact of life now. I am interested to see that they are developing anti-APT technology, though. One can only hope/assume that it will be behavioural-based, and not signature based.

 

We really are entering a new era of security technologies but, as usual, as Alex said

 

 

....the weakest link in the chain of security is always the user.

 

 

No amount of anti-APT or anti-exploit or anti-malware or anti-voodoo will protect users from themselves.

 



#5 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:06 AM

Posted 10 June 2015 - 12:03 PM

In the process of contacting Kaspersky in hopes of correlating evidence.  Believe we've discovered some samples related to Duqu 2.0; the similarities as to who the APT targeted, the evasion techniques, etc. are all way too similar...


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#6 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 10 June 2015 - 12:13 PM

Where did you get these samples from? A customer, or were you attacked as well?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 15 June 2015 - 10:37 AM

New article:

https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:12:06 AM

Posted 15 June 2015 - 04:34 PM

New article:

https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/


Pretty odd choice of keywords. Wonder if this is a hint of a connection, an attempt to throw off analysts, or just pure coincidence. What I'm referring to is the keyword "uglygorilla". Remember Mandiant's investigation of the PLA now deemed "APT1"? One of the identified hackers' username was "UglyGorilla".

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users