Blog - article

Duqu: The Sequel

By:
Wade Williamson
June 12, 2015

Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.

The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.

Kaspersky’s analysis provides some very interesting insights into the attack, and in my opinion clearly show the critical role of behavior-based systems in detecting advanced attacks.

Like the original Duqu framework, Duqu 2.0 makes heavy use of zero-day vulnerabilities in order to compromise its initial victim systems. From this initial compromise, the attackers were able to do the following:

  1. Perform internal reconnaissance to map the internal network topology.
  2. Use a Kerberos attack technique called “pass-the-hash” to spread laterally within the network.
  3. Elevate their privileges to a domain administrator account.
  4. Use those domain admin privileges to deliver MSI packages to infect additional hosts.

These calculated steps are precisely the types of behaviors that Vectra detects in real time and without the need for signatures or third-party reputation lists.

  • Internal Darknet Scans and Port Scans – These Vectra detections reveal an attacker mapping out the internal network, and identifying available services on any newly found hosts.
  • Kerberos Client Activity – This detection reveals a number of attacks, such as the use of stolen credentials and pass-the-hash attacks that enabled attackers to move laterally within the Kaspersky network. While, there are many variants of pass-the-hash, Vectra is able to identify the fundamental behavior they all share in common.
  • Automated Replication – This detection reveals a particular host propagating similar payloads throughout the network, such as the malicious MSI packages used to infect additional hosts.

While these detections shed light on several points, it’s also important to see the big picture. In many ways, Duqu 2.0 feels very similar to the original. Sophisticated attackers with knowledge of zero-day vulnerabilities silently infect a host and quietly spread and spy on the network. It’s very likely that this pattern will continue to repeat itself, although next time with a new zero-day vulnerability.

The most sophisticated attackers will always launch new vulnerabilities. But their fundamental goals and actions once inside the network tend to remain surprisingly constant.

Attackers will orient themselves in a network, escalate privilege, and spread through the network. These behaviors are directly observable to products that closely monitor internal networks. Unless we begin to apply security models that focus on these behaviors, the sequel will look very much like the episode we’ve already seen.

Learn more about the real-time detection of threats that are already inside your network by reading the Post-Intrusion Report, June 2015.

{{cta('f186a66d-f9da-4bdd-8e8f-f0f270ca2c2b','justifycenter')}}

About the author

Wade Williamson

Wade Williamson is a cybersecurity writer, product manager and marketer with experience in positions from director of product marketing to senior security analyst.

Most recent blog posts from the same author

Cybersecurity

Bringing attack detections to the data center

September 13, 2016
Read blog post
Breach

The new vulnerability that creates a dangerous watering hole in your network

July 12, 2016
Read blog post
Cybersecurity

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

June 15, 2016
Read blog post