Kaspersky Lab Reveals Cyberattack On Its Corporate Network

← Back to Stories (view on slashdot.org)

Kaspersky Lab Reveals Cyberattack On Its Corporate Network

Posted by samzenpus on Wednesday June 10, 2015 @09:48AM from the protect-ya-neck dept.

An anonymous reader writes: Kaspersky Lab has revealed that it was recently subject to a major cyberattack. The company launched an investigation, which led to the discovery of a new malware platform from Duqu. Kaspersky has revealed that the attack exploited zero-day vulnerabilities and the malware has spread in the network through MSI (Microsoft Software Installer) files. "The attack is extremely sophisticated, and this is a new generation of what is most likely state-sponsored malware," Kaspersky said during the press conference. "It's a kind of a mix of Alien, Terminator and Predator, in terms of Hollywood."

3 of 73 comments (clear)

Min score:

Reason:

Sort:

Kapersky's 46 page report on incident by VikingThunder · 2015-06-10 10:20 · Score: 5, Informative

FYI: Here is the link to Kapersky's report of the incident: https://securelist.com/files/2...
1. Re:Kapersky's 46 page report on incident by plover · 2015-06-10 15:26 · Score: 4, Informative
  
  Have Kapersky considered running their business off of bootable CDs?
  Read further down in the Fine Report, and you'll see why that strategy probably wouldn't have helped much. After the initial installation, the Command and Control network ran almost exclusively in RAM on Kaspersky's servers; the executable files were deleted to leave as few detectable traces as possible. Of course that meant the malware would be lost during a server reboot, so it depended on the actions of the other nearby servers that would eventually detect the rebooted server was uninfected, and would then re-infect it. And just in case Kaspersky's admins rebooted all servers simultaneously, wiping out the entire C&C system, they left a back door open in the form of a few unimportant PCs infected with persistent malware that would simply launch reverse tunneling proxies at startup. The attackers would have been able to reenter the network without needing to phish them again.
  
  --
  John
Re:Hyperbole by IamTheRealMike · 2015-06-10 21:13 · Score: 2, Informative

Sorry having fully read the report now I'm gonna guess that Duqu is more likely to be Israeli intelligence than the NSA. The report notes that at least one victim has been hacked by the "Equation Group" (very clearly NSA) and Duqu at the same time. Additionally the target list is things like anything to do with the Iranian nuclear program (very interesting to the Israelis) and also something to do with an anniversary of an event related to Auschwitz? Doesn't seem likely to interest the Americans. And apparently the few unfaked timestamps that remain are GMT+2 or GMT+3, the developers work on January 1st, and there's at least one English spelling mistake in the code.
Additionally, Duqu and Stuxnet are apparently somehow related but not quite the same thing, and we know from leaks by US officials wanting to take credit that Stuxnet was a US/Israeli collaboration.