Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

4/1/2015
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Laziok Trojan Exploits Three Year-Old Windows Flaw

Data-stealing malware relies on old bug to break into systems at energy companies.

Despite all the attention paid to zero-day bugs and sophisticated new attack techniques, criminal hackers often exploit old vulnerabilities where they can in order to gain access to an enterprise network or system.

The latest case in point is Trojan Laziok, a malware tool that exploits a three-year old Windows vulnerability to gain access to systems belonging to energy companies in the Middle East and, to a lesser extent, other regions of the world. Roughly 10 percent of the malware’s victims are based in the US and UK.

Security researchers at Symantec described the malware as a reconnaissance tool that allows attackers to gather data from compromised computers and use the information to make decisions on whether to carry out or drop further attacks against the systems.

Laziok is designed to collect system configuration data such as computer name, installed software, memory, hard disk size, and type of antivirus software installed on the system.

It is also designed to drop customized copies of Backdoor. Cyberat and Trojan.Zbot, two well-known data stealers, on systems that are identified by the attackers as being worthy of further compromise. “We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria,” Symantec security researcher Christian Tripputi said in the blog post describing the Trojan.

Companies targeted by the Trojan were mostly in the petroleum, gas, and helium industries, suggesting that the attackers have a strategic interest in the energy sector, Tripputi said.

What makes Laziok interesting is that it exploits a software flaw for which a patch was available back in 2012, says security researcher Satnam Narang.

Laziok arrives as a malicious attachment in spam emails purporting to be from the moneytran.eu domain. The attachment contains an exploit for a remote, code execution vulnerability in a Windows ActiveX Control.

The flaw was first disclosed three years ago in April 2012 and was patched shortly thereafter. It was exploited in multiple previous attack campaigns including Red October, a sophisticated cyberespionage campaign against numerous government, diplomatic, and research organizations worldwide.

Despite the attention focused the flaw, Laziok has shown that many organizations have yet to patch against it, Narang said.

“Zero-days are considered the jewels of the pack,” Narang says. “But in this case [the attackers] are using an outdated vulnerability that has been already patched.”

It underscores how criminal hackers, when developing exploits for new campaigns, have an expectation that a lot of people are going to be running unpatched software, he says. While zero-day exploits are much more valuable from a hacker standpoint they are also more costly to discover and use than attacks targeting older flaws. So cyber criminals have a tendency to exploit old flaws where they can, Narang said.

The Laziok campaign shows why attack tools and exploits matter less than victim targeting and the economics of the attack campaign, said Philip Lieberman, president of Lieberman Software.

“Just as a company looks at the ROI of their offerings, attackers attempt to use the most inexpensive tools possible to achieve the greatest ROI,” he said in emailed comments. The attack takes advantage of the failure by many organizations in the oil and gas industry to keep their Windows software environment properly patched, he said.

“The attack points out the lack of general preparation of cyber-defense teams in many areas of the oil and gas industry worldwide.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9027
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9028
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).