Kaspersky Labs has recently come under attack from a highly sophisticated malware program, Duqu 2.0, which used a stolen Foxconn certificate to infiltrate the security firm. Foxconn is a Taiwanese firm that manufacturers hardware for a lot of major companies including Apple, Dell, Microsoft and Google. The Foxconn certificate is the third one used to sign malware that has been linked to the same APT attackers.Digital certificates (like the one stolen from Foxconn) are like passports that software developers use to sign and authenticate their code. They function as a trust signal to browsers and operating systems, but when attackers use them to sign their malware the certificates become totally and completely useless. The hackers who stole the Foxconn certificate are also believed to have played a role in Stuxnet, the digital weapon used to attack Iran’s nuclear program in 2011.
“The fact that they have this ability and don’t reuse their certificates like other APT groups means they probably [used them only for targeted attacks],” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, “is certainly alarming.” It leaves one to wonder about the reliability of the entire digital certificate mechanism that companies like Microsoft and Apple rely on so heavily to establish the legitimacy of applications and drivers.
Raiu went on to say in a post by Kaspersky Labs, “The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar. This highly sophisticated attack used up to three zero-day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”
More details about Duqu 2.0 can be found in this technical report.