Duqu: The Sequel
Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.
The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.
Kaspersky’s analysis provides some very interesting insights into the attack, and in my opinion clearly show the critical role of behavior-based systems in detecting advanced attacks.
Like the original Duqu framework, Duqu 2.0 makes heavy use of zero-day vulnerabilities in order to compromise its initial victim systems. From this initial compromise, the attackers were able to do the following:
These calculated steps are precisely the types of behaviors that Vectra detects in real time and without the need for signatures or third-party reputation lists.
While these detections shed light on several points, it’s also important to see the big picture. In many ways, Duqu 2.0 feels very similar to the original. Sophisticated attackers with knowledge of zero-day vulnerabilities silently infect a host and quietly spread and spy on the network. It’s very likely that this pattern will continue to repeat itself, although next time with a new zero-day vulnerability.
The most sophisticated attackers will always launch new vulnerabilities. But their fundamental goals and actions once inside the network tend to remain surprisingly constant.
Attackers will orient themselves in a network, escalate privilege, and spread through the network. These behaviors are directly observable to products that closely monitor internal networks. Unless we begin to apply security models that focus on these behaviors, the sequel will look very much like the episode we’ve already seen.
Learn more about the real-time detection of threats that are already inside your network by reading the Post-Intrusion Report, June 2015.