Hackers Targeting Kaspersky Used Stolen Foxconn Certificates

The attack on Kaspersky, also known as Duqu 2.0 was conducted with a malware that was signed by the Foxconn certificate, reported by Wired. Foxconn, a Taiwanese electronics firm helps major tech companies with hardware manufacturing which includes making products like the iPhone, iPads, the PlayStation and the Xbox and a plethora of other mainstream products. Foxconn also makes hardware for companies such as Dell, Google, Apple, Microsoft and more.

Digital certificates

Digital certificates are used by software makers and manufacturers to sign, verify and authenticate their software code. They let browsers and operations systems know that certain software can be trusted.  In other words, these certificates are used like passports. Hackers’ strategy to steal and manipulate the certificates to sign their malware can be particularly dangerous as trusted certificates can then be used to authenticate malicious malware.

How Foxconn figures in the hack

Normally, credentials that are created cryptographically are required to install digital drivers on the latest builds of 64-bit versions of Windows. Here’s a time-line of how Foxconn’s driver was used by the hackers:

  • In 2013, Foxconn used a similar certificate while installing drivers on Dell laptops during a production run and the same certificate fell into the hacker’s hands.
  • This was then used by attackers to target Kaspersky Labs, infecting the security firm’s network by using the digital seal inherent in the certificate which signed off the hackers’ drivers.
  • These malicious drivers, signed by the legitimate Foxconn certificate were the singular reason and component of the Duqu 2.0 malware platform.
  • These drivers were found on Kaspersky gateways, firewalls and servers with direct internet access used by hackers to pry sensitive information back and forth within the security firm’s network.

Security certificates – a free ride for hackers

Advanced Persistent Threat (APT) attackers have been using certificates to sign and authenticate their malware multiple times in the recent past. Others include:

  • The Stuxnet Malware, allegedly developer by Israel to infiltrate Iran’s nuclear program was authenticated by a certificate created by a popular hardware manufacturer, Realtek.
  • Other Stuxnet-related malware was developed by the same engineers by using a certificate from another hardware manufacturer, Jmicron.

Such certificates have been used by hackers for the singular purpose of creating malware, after having infiltrated hardware manufacturers to obtain them.

“The fact that they have this ability and don’t reuse their certificates like other APT groups means they probably [used them only for targeted attacks],” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team. “This is extremely alarming because it undermines all the trust we have in digital certificates. It means that digital certificates are no longer an effective way of defending networks and validating the legitimacy of the packages. It’s also important to point out that these guys are careful enough not to use the same digital certificates twice.”

Raiu added that Kaspersky Labs had contacted officials from Foxconn to alert them on the use of their certificates and so far, the security firm haven’t gotten a response from the hardware manufacturer.