Security Vendor Kaspersky Lab Is Latest Cyberattack Target

A new target for attackers has emerged: the security vendors themselves.

On Wednesday, Kaspersky Lab announced that it had discovered a sophisticated new malware platform that had infiltrated several of its internal systems. Kaspersky said the attack -- which it is calling Duqu 2.0, and which it said came from infamous advanced persistent threat actor Duqu -- exploited up to three zero-day vulnerabilities, and then spread using Microsoft Software Installer files.

Kaspersky said other victims of what is believed to be a nation-state-sponsored attack included targeted attacks on events and venues with links to world power meetings, including recent negotiations for an Iran nuclear deal and the 70th anniversary of the liberation of Auschwitz-Birkenau. As these are preliminary investigations, Kaspersky said, there is "no doubt" the attack radius is much wider.

[Related: Kaspersky Lab Retools Channel Program, Focuses On Virtualization, Storage]

Sponsored post

Symantec confirmed the attack campaign via its own threat intelligence in a blog post.

The information targeted in the attack on the security vendor was information on the company's newest technologies, such as Kaspersky Lab’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services. The attackers also targeted investigations into advanced targeted attacks, the company said.

The malware platform has created a "dangerous tendency" for spying on cybersecurity companies, Kaspersky Lab CEO Eugene Kaspersky said at a news conference about the discovery.

’Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised. Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario," Kaspersky said.

Sam Heard, president of Lakeland, Fla.-based Data Integrity Services, said the hack highlights that no one, not even the bigger security vendors, are safe from targeted attacks.

"To me, that’s just the nature of the game," Heard said. "If you think about it, security is nothing but a reactionary vertical. If someone comes out with a smarter mouse, then someone is going to build a bigger mousetrap. It's always going to be punch and counter punch. ... It's the nature of the beast."

From a technical perspective, the discovery shows that protecting the endpoint simply won't cut it anymore against professional government-grade malware, Kurt Baumgartner, principal security researcher at Kaspersky Lab, said in an email to CRN.

"The cyber arms race is escalating fast. Attackers are improving their cyber capabilities, implementing more and more sophisticated tools and techniques for their attacks. No private or public organization can feel safe now."

Discovery of the malware was incredibly difficult, Kaspersky said, as it remained hidden in the system's memory, out of detection of anti-malware systems. On top of that, instead of using command-and-control servers for instructions, the malware used malicious drivers to infect network gateways and firewalls to proxy traffic to the attacker.

"The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world. This was a highly sophisticated attack performed by a nation-state actor. The group behind Duqu is very skilled, powerful and did everything possible to try to stay under the radar," Baumgartner said.

"The Duqu people were confident enough to create and run an entire cyber-espionage operation just in the system’s memory, and that they can survive within an entire network of compromised computers without relying on any persistence mechanism at all," Baumgartner said. "These reasons make Duqu 2.0 more advanced than any other APT group."

A full audit will be complete in a few weeks, but Kaspersky emphasized in its announcement that it had taken the necessary steps to make sure clients and partners were protected. For partners, Baumgartner recommended making sure security products are installed on all computers, servers and proxies; updating Windows to the latest version; rebooting all computers in the network if there is an indication of a Duqu 2.0 infection; and changing all passwords.