Some of the malware that infected the corporate network of antivirus provider Kaspersky Lab concealed itself using digital certificates belonging to Foxconn, the electronics manufacturing giant and maker of the iPhone, Xbox, and other well-known products.
Cryptographically generated credentials are required to install drivers on newer, 64-bit versions of Windows. Foxconn used one such certificate when installing several legitimate drivers on Dell laptop computers in 2013. Somehow, the attackers who infected the Kaspersky Lab network appropriated the digital seal and used it to sign their own malicious drivers. As Ars explained last week, the drivers were the sole part of the entire Duqu 2.0 malware platform that resided on local hard drives. These drivers were on Kaspersky firewalls, gateways, or other servers that had direct Internet access and were used to surreptitiously marshal sensitive information in and out of the Kaspersky network.
Not the first time
The Foxconn certificate is the third one used to sign malware that has been linked to the same advanced persistent threat (APT) attackers. The Stuxnet malware, which reportedly was developed by the US and Israel to sabotage Iran’s nuclear program, used a digital certificate from Realtek, a hardware manufacturer in the Asia Pacific region. A second driver from Jmicron, another hardware maker in the Asia Pacific, was used several years ago to sign Stuxnet-related malware developed by some of the same engineers. Like the previous two certificates, the one belonging to Foxconn had never been found signing any other malicious software.
Kaspersky researchers took that exclusivity to mean that the Duqu 2.0 attackers obtained the certificates by hacking or otherwise penetrating the hardware manufacturers and holding the certificates solely for a single dedicated purpose. The researchers also speculate that the developers behind Duqu and Stuxnet have a reliable supply of additional valid certificates to meet the needs of any future malware platforms.
“The fact that they have this ability and don’t reuse their certificates like other APT groups means they probably [used them only for targeted attacks],” Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, said during a conference call with reporters. “This is extremely alarming because it undermines all the trust we have in digital certificates. It means that digital certificates are no longer an effective way of defending networks and validating the legitimacy of the packages. It’s also important to point out that these guys are careful enough not to use the same digital certificates twice.”
Raiu said Kaspersky Lab has contacted Foxconn officials and alerted them to the use of the certificate. So far, they haven’t received a response. Kaspersky has also contacted officials with VeriSign, the Windows-trusted certificate authority that signed the Foxconn certificate. The certificate discovered by Kaspersky was issued to Hon Hai Precision Industry Co. Ltd., the alternate name for Foxconn. Kaspersky researchers have published a report on the driver discovery here.
In the beginning…
As Ars explained last week, Duqu 2.0 was a fully revamped version of the original Duqu malware, which was discovered in 2011 and had digital DNA from Stuxnet. Virtually all of the 18 megabytes of the new malware ran entirely in computer memory, making infections extremely hard to detect. The only exceptions were a few drivers that were installed on firewalls and other machines that had both direct Internet access to the outside and unfettered access inside the targeted corporate network.
The drivers acted as a translator. Inside the Kaspersky network, Duqu sent data in the form of Windows file sharing traffic. The drivers would then convert the data into encrypted transport layer security traffic before sending it back to Duqu attackers over the Internet. The drivers also allowed attackers to access the servers by sending secret keywords, which in the case of the Kaspersky infection were “romanian.antihacker” and “ugly.gorilla.”
In addition to infecting Kaspersky Lab, Duqu 2.0 also targeted the diplomatic talks the US and five other world powers held with Iran over its nuclear program. The same malware spied on people participating in the 70th anniversary of the liberation of the Auschwitz-Birkenau extermination camp. Researchers from Kaspersky competitor Symantec said it also hit several other companies, including one telecommunications operator in Europe, another telecoms operator in North Africa, and a South East Asian electronic equipment manufacturer. Additional infections were found in organizations in the US, the UK, Sweden, India, and Hong Kong. During Monday’s call, Raiu also said an Asian Pacific manufacturer of supervisory control and data acquisition (SCADA) gear was also infected.
While the Duqu developers frequently used undisclosed, “zero-day” vulnerabilities in Windows to bypass Windows driver signing requirements, Raiu said such exploits would be too risky for ensuring that the drivers remained installed. That’s because vulnerabilities regularly get fixed.
“They [the attackers] needed to have a persistence mechanism that will survive the patching of all these zero days,” he explained.
The reliable supply of compromised certificates is yet another testament to the confidence and competency of the Duqu attackers. As Raiu noted, it also raises troubling questions about the reliability of the entire digital certificate mechanism that Microsoft, Apple, and most other software makers rely on to establish the legitimacy of applications and drivers.