Duqu 2.0 – Who’s The Lord of Ring0?

Author: No Comments Share:

Last week we saw another sophisticated attack unearthed by a large security company from its own compromised internal networks (yes, even cyber defenders are fallible). This attack leverages the most dangerous weakness on a system, namely an unknown vulnerability in the “kernel” or core of the operating system. Not surprisingly, spear phishing seems to be the suspected means leveraged by the attackers to deliver the attack to the victim(s). The attack had layers of sophistication and shows signs of a well-planned attack that was designed specifically to bypass all known detection technologies. Some of the reported findings that make this attack interesting:

  • Font kernel exploit

The attack leveraged a zero day vulnerability in TTF font parsing, this makes the attack a lucrative target via spear phishing eg: browser or Office documents.

  • Multiple zero days

It has been reported that up to three zero days were used in the original attack. This indicates that it was a well-sponsored attack. It takes many man hours by experts to discover such vulnerabilities.

  • Stolen driver certs from high profile company (FoxConn)

This provides the malware persistence capabilities, post infection and also creates a challenge for whiltelisting technology that relies on signed driver whitelisting.

  • Memory resident malware

Most of the malware was in-memory to avoid detection by heuristics and signatures, this poses a challenge for blacklisting solutions.

 

If you were around the cybersecurity industry in 2011, this attack creates a sense of Deja vu with the ‘original’ Duqu malware.  So in short, both blacklisting and whitelisting technologies were defeated by this sophisticated malware and the attack remained undetected for a few months.

Given the nature of the attack, there is no doubt that the security community will reverse engineer the publicly available binaries of the attack and post more details in days to come.

Are kernel (ring0) attacks rare? Certainly not, as the security industry invests more into monitoring and defenses, attackers are stepping up their game. The Windows OS kernel with millions of lines of code provides a lucrative attack surface for the informed attacker. In fact, ever since Stuxnet in 2010, this has been a common theme – leveraging kernel mode attacks to bypass various layers of security technologies both on network and endpoint.

The table below lists some of the publicly known malware attacks uncovered that leveraged kernel exploits.

 

Year Uncovered

Popular name CVE

References

2010

Stuxnet

CVE-2010-2743 https://en.wikipedia.org/wiki/Stuxnet

 2011

Duqu

CVE-2011-3402 http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf

 2012

Gapz

CVE-2011-2005 http://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/

2013

NDProxy vuln*

CVE-2013-5065 https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Kernel-is-calling-a-zero(day)-pointer-%E2%80%93-CVE-2013-5065-%E2%80%93-Ring-Ring/

 2014

TTF vuln*

CVE-2014-4148 https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html

2015

Duqu 2.0

CVE-2015-2360 https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/

*The attack failed to get a nice name

In the past few years, the Bromium Labs team has done several technical security talks on this topic to educate users of the inevitable attack and explaining the limitations of the current “layered defense” stack of security products. Compromising the kernel via a classic drive by exploit gives the attacker a huge advantage over several layers of security software (see the Bromium White Paper on Trends in Zero Day Kernel Exploits) and he/she can go unnoticed for months, just as in the case of Duqu 2.0.

Providing protection against such sophisticated attacks via web or emails targeting users has been a mission for us at Bromium from Day #1. Threat isolation, such as micro-virtualization prevents breaches and mitigates against kernel-level attacks by separating unknown and untrusted tasks and processes from trusted and critical computer systems.

Ultimately, it’s up to you to decide – who’s going to be the lord of ring0 in your organization?

Previous Article

OPM Fallout: Is it time for a Cyber-Y2K?

Next Article

Oh look – JavaScript Droppers

You may also like