Malware attack on Kaspersky Lab used stolen Foxconn certs


— 9:35 AM on July 16, 2015

Kaspersky Lab has revealed a few more technical details about the malware used in the recent intrusion into its systems, which the company has christened "Duqu 2.0." The report includes a worrisome detail: a 64-bit Windows driver used by the malware platform is digitally signed by none other than Foxconn Technology Group, one of the world's largest electronics manufacturers. You might know some of their clients, like Apple, Microsoft, and Google.

The valid digital signature makes the driver in question appear perfectly legitimate from the OS's perspective,  and is one of the reasons why Duqu 2.0 doesn't leave any obvious trace in infected systems. The same tactic was used in the Stuxnet intrusions in 2011, albeit with stolen Realtek and JMicron digital certificates.

Kaspersky states it hasn't seen any other malware using the stolen certificates, so it rules out the possibility that they have been leaked to other cracking groups. The company also believes that the uniqueness of these certificates means that they were stolen directly from manufacturers' networks. The group responsible for Duqu 2.0 and Stuxnet has yet to use the same digital certificate twice, which could mean that it has more stolen certificates ready for use. If that's the case, it could undermine trust in digital certificates as a whole.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
   
Register
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.