Monday, June 15, 2015

Duqu v2 - Using stolen certs, what's even more scary is the attackers might have more stolen certs


Attackers are getting smarter. A attack like this can be detected but, validating it is hard as they are
  1. Using stolen certs
  2. Use different certs at different times

From the Article.
The way that the certificates are used by the Duqu attackers is somewhat unusual. Rather than using one certificate for multiple modules or drivers, the group seems to have access to a sizable cache of stolen certificates and use each one just once

Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates. That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates,

Duqu attackers are also careful enough not to use same digital certificate twice
For more info:https://threatpost.com/duqu-2-0-attackers-used-stolen-foxconn-certificate-to-sign-driver/113315

No comments:

Post a Comment