Beware – Duqu Has Returned, Kaspersky Reveals

One of the most damaging cyber-threats of recent years has resurfaced in what will be most unwelcome news for many security professionals.

Researchers at Kaspersky Labs have today announced the discovery of Duqu 2.0, an updated successor to 2012’s original Duqu, which attacked countries around the world and was thought to be linked to the Stuxnet worm.

The threat, which has been active for around a year, was detected running on Kaspersky’s own systems, as well as having attacked several major organisations around the globe, using up to three different zero-day exploits and Advanced Protection Threats (APTs).

It is thought to have infected systems related to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal, as well as launching a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

‘Highly sophisicated’

“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu, director of Kaspersky Lab’s global research & analysis team.

“This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”

As for Kaspersky, it admitted it was attacked via, “a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time”.

Analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected, and the company has reassured its customers it is still able to detect and block threats.

“Spying on cybersecurity companies is a very dangerous tendency. Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilised by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario,” commented Eugene Kaspersky, CEO of Kaspersky Lab.

“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin.”

How well do you know Internet security? Try our quiz!