U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Authors of Duqu 2.0 used a stolen digital certificate in attacks

Malware authors behind the Duqu 2.0 used a stolen certificate from the Foxconn company to implement a persistence mechanism and stay stealthy. New details emerge from the investigation conducted by the experts at Kaspersky on the Duqu 2.0 malware that targeted the systems of the company, the threat actors used valid certificate from Hon Hai Precision Industry […]

Authors of Duqu 2.0 used a stolen digital certificate in attacks

Malware authors behind the Duqu 2.0 used a stolen certificate from the Foxconn company to implement a persistence mechanism and stay stealthy.

New details emerge from the investigation conducted by the experts at Kaspersky on the Duqu 2.0 malware that targeted the systems of the company, the threat actors used valid certificate from Hon Hai Precision Industry Co. LTD (aka Foxconn Technology Group) to digitally sign the malicious code.

According to the malware researchers at Kaspersky, the digital certificate was issued by VeriSign and used the authors of Duqu 2.0 to digitally sign the source code of a driver designed to mask command-and-control traffic.

Foxconn provides electronic components for a wide number of companies, including Apple and BlackBerry.

The majority of Duqu 2.0 infections was observed between 2014 and 2015 concurrently to the negotiations on the Iranian nuclear program engaged by the P5+1 (the United States, United Kingdom, Germany, France, Russia, and China, facilitated by the European Union) with Iran.

“The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.” states a blog post published by the Kaspersky Lab’s Global Research & Analysis Team (GReAT).

The researchers discovered that the threat actors installed malicious digitally signed drivers for network devices to interfere with traffic routing.

 

duqu 2.0 digital certificate

“During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on the other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.” continues the post.

“In essence, the drivers are redirecting network streams to and from the gateway machine that runs it,” the researchers explained. “To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: “romanian.antihacker” and “ugly.gorilla”.”

The used of digitally signed code seeming to be a prerogative of threat actor behind Duqu, the attackers haven’t used the same digital signature more than once.

“Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates,” the researchers continued. “That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.”

Stay tuned!

Pierluigi Paganini

(Security Affairs – Duqu 2.0,  malware)