Duqu: The Sequel

Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.

‍

The original Duqu threat

The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.

Kaspersky’s analysis provides some very interesting insights into the attack, and in my opinion clearly show the critical role of behavior-based systems in detecting advanced attacks.

Like the original Duqu framework, Duqu 2.0 makes heavy use of zero-day vulnerabilities in order to compromise its initial victim systems. From this initial compromise, the attackers were able to do the following:

1. Perform internal reconnaissance to map the internal network topology.
2. Use a Kerberos attack technique called “pass-the-hash” to spread laterally within the network.
3. Elevate their privileges to a domain administrator account.
4. Use those domain admin privileges to deliver MSI packages to infect additional hosts.

‍

Anomalies detected by Vectra

These calculated steps are precisely the types of behaviors that Vectra detects in real time and without the need for signatures or third-party reputation lists.

• Internal Darknet Scans and Port Scans – These Vectra detections reveal an attacker mapping out the internal network, and identifying available services on any newly found hosts.
• Kerberos Client Activity – This detection reveals a number of attacks, such as the use of stolen credentials and pass-the-hash attacks that enabled attackers to move laterally within the Kaspersky network. While, there are many variants of pass-the-hash, Vectra is able to identify the fundamental behavior they all share in common.
• Automated Replication – This detection reveals a particular host propagating similar payloads throughout the network, such as the malicious MSI packages used to infect additional hosts.

While these detections shed light on several points, it’s also important to see the big picture. In many ways, Duqu 2.0 feels very similar to the original. Sophisticated attackers with knowledge of zero-day vulnerabilities silently infect a host and quietly spread and spy on the network. It’s very likely that this pattern will continue to repeat itself, although next time with a new zero-day vulnerability.

The most sophisticated attackers will always launch new vulnerabilities. But their fundamental goals and actions once inside the network tend to remain surprisingly constant.

Attackers will orient themselves in a network, escalate privilege, and spread through the network. These behaviors are directly observable to products that closely monitor internal networks. Unless we begin to apply security models that focus on these behaviors, the sequel will look very much like the episode we’ve already seen.

Learn more about the real-time detection of threats that are already inside your network by reading the Post-Intrusion Report, June 2015.