Friday, October 13, 2017

Kaspersky Network hacked in 2014 but mentioned now by US government

Israeli spies hacked into Kaspersky Lab's network and discovered that the Russian government was using the company's widely installed anti-virus software to spy on U.S. intelligence agencies?

If the assertion is true, it would be devastating to Kaspersky Lab, led by its barrel-chested, loquacious co-founder Eugene Kaspersky, has been dogged by unfounded speculation that it may be an extension of Russia's security agencies, willingly or not. But in the age of Trumpism its really hard to know? Who to trust? I am on the fence waiting for a conclusive answer.

Spy Versus Spy

In December 2013, Reuters reported that U.S. security firm RSA received $10 million from the NSA to use an intentionally flawed formula in its encryption software. The formula generated random numbers, which are crucial for creating unbreakable ciphers. The flaws, however, gave the NSA a secret backdoor for cracking that encryption.

from https://www.govinfosecurity.com/will-kaspersky-lab-survive-russia-hacking-scandal-a-10375

Kaspersky Release of Full Disclosure of the Israeli 2014 Hack

Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems.

Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world  Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project  until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform Duqu 2.0.

Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.

from https://securelist.com/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/70504/

Technical Kaspersky Report 

In 2011, we were able to identify Duqu attacks that used Word Documents containing an exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious embedded TTF (True Type Font File). This exploit allowed the attackers to jump directly into Kernel mode from a Word Document, a very powerful, extremely rare, technique. A similar technique and zero-day exploit ( 4CVE-2014-4148) appeared again in June 2014, as part of an attack against a prominent international organization. The C&C server used in this 2014 attack as well as other factors have certain similarities with Duqu, however, the malware is different from both Duqu and Duqu 2.0. It is possible that this is a parallel project from the Duqu group and the same zero-day (CVE-2014-4148) might have been used to install Duqu 2.0.



No comments:

Post a Comment