Kaspersky reveals 'almost invisible' hacking attack on its systems Security company found malware, related to Duqu, when testing a new antivirus tool http://www.zdnet.com/article/kaspersky-hit-by-almost-invisible-hacking-attack/
We are lucky it happened to Kaspersky as if it was another security company we would probably still be at Duqu 1.0.
I'm sorry but this is a bit painful! I expected better from Kaspersky. On the other hand, it's also a wake up call to never let your guards down. If it can happen to them, it can happen to anyone.
Protecting a computer, vs a network can be two different things. Besides since most of these attacks involve human engineered phishing attacks, people are the same everywhere, vulnerable
Duqu 2.0 could have been developed by Israel http://securityaffairs.co/wordpress/37762/malware/duqu-2-0-developed-by-israel.html
Yes this is true, I can imagine that it can be quite complicated having to protect every PC and server on the network. I do think that security software can protect against almost all attacks nowadays, but it's still people who need to have the "know how" about how to configure and operate it.
The Duqu 2.0 persistence module https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/
The next question that arises is, why on earth didn't they block the drivers from loading? Any HIPS can block this.
Without getting into what type of security they employed on the affected systems and if a properly configured HIPS was one of them, the driver was digitally signed with a valid certificate. Any HIPS that has a modicum of usability in mind will allow it by default.
If it was "properly configured" digitally signed certificates with or without valid cets wouldn't be auto allowed !
You probably meant drivers? I also don't understand why unknown drivers should be allowed to be loaded. It's just like with execution control - allow the one you trust and block all others.
This is a feature that you can and should always turn off. Of course, securing all appliances on a network is a lot more complex than securing a single home user PC, I get that. But still, if they are really serious about security, they should have been able to the secure servers and network appliances with a properly configured HIPS/IDS. Yes, exactly.
Yes I agree, the concept of securing a system stays the same. Simply don't allow new/untrusted executables and drivers to run, period. That would have prevented this attack. The only new thing about this attack is that it took quite some time to discover it, this means that HIPS and IDS need to be top notch, especially because the used malware was mostly operating from "in-memory".
