News

4/1/2015
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Laziok Trojan Exploits Three Year-Old Windows Flaw

Data-stealing malware relies on old bug to break into systems at energy companies.

Despite all the attention paid to zero-day bugs and sophisticated new attack techniques, criminal hackers often exploit old vulnerabilities where they can in order to gain access to an enterprise network or system.

The latest case in point is Trojan Laziok, a malware tool that exploits a three-year old Windows vulnerability to gain access to systems belonging to energy companies in the Middle East and, to a lesser extent, other regions of the world. Roughly 10 percent of the malware’s victims are based in the US and UK.

Security researchers at Symantec described the malware as a reconnaissance tool that allows attackers to gather data from compromised computers and use the information to make decisions on whether to carry out or drop further attacks against the systems.

Laziok is designed to collect system configuration data such as computer name, installed software, memory, hard disk size, and type of antivirus software installed on the system.

It is also designed to drop customized copies of Backdoor. Cyberat and Trojan.Zbot, two well-known data stealers, on systems that are identified by the attackers as being worthy of further compromise. “We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria,” Symantec security researcher Christian Tripputi said in the blog post describing the Trojan.

Companies targeted by the Trojan were mostly in the petroleum, gas, and helium industries, suggesting that the attackers have a strategic interest in the energy sector, Tripputi said.

What makes Laziok interesting is that it exploits a software flaw for which a patch was available back in 2012, says security researcher Satnam Narang.

Laziok arrives as a malicious attachment in spam emails purporting to be from the moneytran.eu domain. The attachment contains an exploit for a remote, code execution vulnerability in a Windows ActiveX Control.

The flaw was first disclosed three years ago in April 2012 and was patched shortly thereafter. It was exploited in multiple previous attack campaigns including Red October, a sophisticated cyberespionage campaign against numerous government, diplomatic, and research organizations worldwide.

Despite the attention focused the flaw, Laziok has shown that many organizations have yet to patch against it, Narang said.

“Zero-days are considered the jewels of the pack,” Narang says. “But in this case [the attackers] are using an outdated vulnerability that has been already patched.”

It underscores how criminal hackers, when developing exploits for new campaigns, have an expectation that a lot of people are going to be running unpatched software, he says. While zero-day exploits are much more valuable from a hacker standpoint they are also more costly to discover and use than attacks targeting older flaws. So cyber criminals have a tendency to exploit old flaws where they can, Narang said.

The Laziok campaign shows why attack tools and exploits matter less than victim targeting and the economics of the attack campaign, said Philip Lieberman, president of Lieberman Software.

“Just as a company looks at the ROI of their offerings, attackers attempt to use the most inexpensive tools possible to achieve the greatest ROI,” he said in emailed comments. The attack takes advantage of the failure by many organizations in the oil and gas industry to keep their Windows software environment properly patched, he said.

“The attack points out the lack of general preparation of cyber-defense teams in many areas of the oil and gas industry worldwide.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.