Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

LoJack Attack Finds False C2 Servers

A new attack uses compromised LoJack endpoint software to take root on enterprise networks.

Researchers have identified a new attack that uses computer-recovery tool LoJack as a vehicle for breaching a company's defenses and remaining persistent on the network. The good news is that it hasn't started specific malicious activity — yet.

Arbor Networks' ASERT, acting on a third-party tip, found a subtle hack involving legitimate LoJack endpoint agents. The threat actors didn't change any of the legitimate actions of the software. All they did was strip out the legitimate C2 (command and control) server address from the system and replace it with a C2 server of their own.

Richard Hummel, manager of threat research at NETSCOUT Arbor's ASERT, says that the subtlety of the action means that most existing security software and systems will not provide any indication that something is going wrong. "If they're running as an admin, they might not see it," Hummel says. "This doesn't identify as malicious or malware, so they might just see a subtle warning."

The addresses of the new C2 servers are pieces of the analysis that led researchers to believe that the campaign is attributable to Fancy Bear, a Russian hacking group responsible for a number of well-known exploits. On initial execution, the infected software contacts on of the C2 servers, which logs its success. Then, the new LoJack application proceeds to … wait. It simply does what LoJack does, with no additional communication or activity.

Hummel says that the lack of activity and lack of steps to prevent legitimate activity means that most security software won't recognize that the app is anything but legitimate.

Once in place, the nature of the LoJack system's activities means that it's very persistent, remaining in place and active through reboots, on/off cycles, and other disruptive events.

"This is basically giving the attacker a foothold in an agency," Hummel says. "There's no LoJack execution of files, but they could launch additional software at a later date." And the foothold that the software gains is a strong one.

"If they're on a critical system or the user is someone with high privileges, then they have a direct line into the enterprise," Hummel explains, adding, "with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims' machines."

There is, so far, nothing about the attack that contains a huge element of novelty. As for the code, Hummel says that this particular mechanism for attack has been around since 2014, when the software that is now LoJack was called Computrace. Even then, Hummel says, "researchers talked about how LoJack maintains its persistence."

And while Hummel's team has suspicions about infection mechanisms, they aren't yet sure what's happening. "We did some initial analysis on how the payload is being distributed and other Fancy Bear attacks, and we can't verify the infection chain," Hummel says, though he's quick to add, "We don't think that LoJack is distributing bad software."

With stealth and persistence on its side, how does an enterprise prevent this new attack from placing bad software on corporate computers? Hummel says everything begins with proper computer hygiene. "Users will be prompted for permission warnings — don't just blow by them," he says.

Next, the IT security team can scan for five domains currently used by the software:

  • elaxo[.]org
  • ikmtrust[.]com
  • lxwo[.]org
  • sysanalyticweb[.]com (2 forms)

Each of these domains should be blocked by network security mechanisms.

It's rare to have warning of an active infection method prior to damaging attacks using the infection target. Organizations now have time to learn about the tactic and disinfect compromised endpoints before the worst occurs.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...