In a June 15 blog post, Kaspersky says a key 64-bit driver helped Duqu 2.0 escape detection because it had a certificate issued by VeriSign to Taiwan-based Foxconn, the world's largest electronics contract manufacturer whose customers include global giants such as Apple, Microsoft, Amazon and Google.
Kaspersky believes Duqu 2.0 comes from the same attackers as its 2011 predecessor, Duqu, and the Stuxnet worm – and points out that these campaigns also used certificates stolen from Asia-Pacific hardware manufacturers, Realtek and Jmicron.
Kaspersky suspects the attackers never use the same certificate twice, saying: “If that's true, it means they might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates.”
The news follows Kaspersky's disclosure last week that Duqu 2.0 sat undetected on its servers for months, then used three Windows zero-days to target the US and other world powers negotiating with Iran, as reported by SCMagazineUK.com.
Symantec also said that Duqu 2.0 has infected other organisations in the UK, US, Sweden, India and Hong Kong, as well as telecoms operators in Europe and North Africa.
Vicente Diaz, principal security researcher at Kaspersky Lab, told SCMagazineUK.com via email: “Stealing a valid certificate should not be that easy, but the Duqu group was able to do it. So maybe they have stolen digital certificates ready to use for any attack, which would disrupt the trust chain needed for the encryption setup to work, as we rely on trusting these certification authorities. If we can´t do that, then the whole encryption mechanism based on certification authorities is at stake, one of the pillars of the internet.
“It also means that these companies are abused regularly by groups (probably state-sponsored ones) in order to obtain what they need for their cyber-espionage campaigns. Let's not forget that some certification authorities went bankrupt by hacking cases - it's something to think about.”
And Kaspersky's concern over the credibility of certificates is shared by others in the industry.
Cyber-security expert Alan Woodward, a Europol adviser and visiting professor at Surrey University, toldSC: “It's very worrying. Digital certificates are so valuable because the whole of trust on the internet really relies upon trusting certificates. The fact that it appears to be a stolen Foxconn certificate is quite troubling as well. Foxconn is a major supplier to the industry.”
Woodward called on certification authorities to react to the news.
“Certificates from trusted third parties have really become the mainstay of how we deal with each other on the internet,” he said. “I can't see that changing any time soon - but to maintain the trust, we've got to be able to know quickly when they've been misused.
“We've even seen stolen Microsoft certificates before; it's knowing they've been stolen and making sure they're revoked quickly that's the big thing. And the issuing authorities are not always that quick to revoke them when alerted. As soon as you know it's been misused, revoking it needs to be a very slick process.”
Sean Sullivan, a security advisor with F-Secure, agreed with Kaspersky's warning over certificates, given the number now known to be stolen. “It does undermine a lot of trust,” he told SC.
But Sullivan said industry developments could help. “Windows 10 is taking a much stricter approach towards drivers. They are going to have to be not just signed, but confirmed as ‘made for Windows 10'.
“The Foxconn driver was an old driver so it was legitimate and whatever versions of Windows that are out there now treated it as such. But Microsoft is moving to make sure that even legitimate drivers don't get a free pass – it's got to be legitimate and prevalent and up-to-date, and will be further checked on. So they're aware drivers are being abused in this way.”
In its latest analysis, Kaspersky credits Duqu 2.0 with ‘unusual' persistence. Almost all its code runs in memory, making it extremely hard to detect. Its structure also means the malware can survive the detection of any 0-days it is using and remain hidden in networks, ready to use newer, undiscovered malware.
Woodward highlighted the danger of this design. “There's quite a lot of malware appearing now that is adaptive and clearly meant to be there for the long term. It's not a smash and grab raid. The types of malware evolving now are themselves able to evolve as people learn about them and a patch is put on. It's almost like when they can't use the 0-day they were exploiting any more, they phone home and see what else they can use now.
“It's very clever but really quite frightening. This is a new generation. It is designed to get in there and stay for the long haul.”
Kaspersky has informed both Foxconn and VeriSign about Duqu 2.0's use of the stolen certificate.