European firms targeted by CozyDuke APT

European and Asian organisations were targeted by the CozyDuke advanced persistent threat (APT) attack, revealed an executive with Kaspersky Lab.

EU Council urged: Get internet giants to share encryption keys
EU Council urged: Get internet giants to share encryption keys

Costin Raiu, director, global research & analysis team at Kaspersky, the company that first identified CozyDuke said the attacker's list also included “government organisations and commercial entities in Germany, South Korea and Uzbekistan.”

The company said that the APT appeared to have hit the White House and US State Department in the second half of last year and appeared to belong to the same family as previous APTs - OnionDuke and CozyDuke / Cozy Bear. Raiu said the similarities between the attacks suggested they had the same authors or were working together.

He added that the similarities went further than that. “A comparison of two files matches a recent second stage tool from the CozyDuke attacks with a second stage component from other Miniduke/Onionduke attacks. The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time,” he said, adding that the calls, jmps and code all matched as well.  In fact, he said, “The contents of only one of these exports in update.dll has no match whatsoever in cache.dll.”

There is a further dimension to the attack.  The APT was set up to avoid security software by faking security certificates from the likes of Intel and AMD.  According to Mike Spykerman, vice president of product management at software security company OPSWAT, businesses could expect to see more of this type of attack in the future.  “The anti-detection capabilities of the CozyDuke APT are likely to become more widespread in APTs” he said.

“The best way to protect against malware that includes anti-AV protection is to use a multi anti-malware scanner that utilises several different anti-malware engines. Not only does this significantly increase the malware detection rate, it also thwarts threats that try to target vulnerabilities in specific anti-virus engines. When using multiple engines, only one engine needs to detect the threat to be protected. The more engines you use, the less likely the APT has anti-detection capabilities for all,” added Spykerman.

While CozyDuke appears to have hit several US government organisations, Raiu said it was not difficult for users to protect against APTs.  “Several very basic security precautions can work effectively against even the most sophisticated and thoroughly planned APTs” he said. “For example, a simple curbing of administrative rights plus the timely patching of vulnerabilities and restricting the number of permitted apps can mitigate up to 85 percent of targeted attack-connected incidents.