Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

4/1/2015
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Laziok Trojan Exploits Three Year-Old Windows Flaw

Data-stealing malware relies on old bug to break into systems at energy companies.

Despite all the attention paid to zero-day bugs and sophisticated new attack techniques, criminal hackers often exploit old vulnerabilities where they can in order to gain access to an enterprise network or system.

The latest case in point is Trojan Laziok, a malware tool that exploits a three-year old Windows vulnerability to gain access to systems belonging to energy companies in the Middle East and, to a lesser extent, other regions of the world. Roughly 10 percent of the malware’s victims are based in the US and UK.

Security researchers at Symantec described the malware as a reconnaissance tool that allows attackers to gather data from compromised computers and use the information to make decisions on whether to carry out or drop further attacks against the systems.

Laziok is designed to collect system configuration data such as computer name, installed software, memory, hard disk size, and type of antivirus software installed on the system.

It is also designed to drop customized copies of Backdoor. Cyberat and Trojan.Zbot, two well-known data stealers, on systems that are identified by the attackers as being worthy of further compromise. “We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria,” Symantec security researcher Christian Tripputi said in the blog post describing the Trojan.

Companies targeted by the Trojan were mostly in the petroleum, gas, and helium industries, suggesting that the attackers have a strategic interest in the energy sector, Tripputi said.

What makes Laziok interesting is that it exploits a software flaw for which a patch was available back in 2012, says security researcher Satnam Narang.

Laziok arrives as a malicious attachment in spam emails purporting to be from the moneytran.eu domain. The attachment contains an exploit for a remote, code execution vulnerability in a Windows ActiveX Control.

The flaw was first disclosed three years ago in April 2012 and was patched shortly thereafter. It was exploited in multiple previous attack campaigns including Red October, a sophisticated cyberespionage campaign against numerous government, diplomatic, and research organizations worldwide.

Despite the attention focused the flaw, Laziok has shown that many organizations have yet to patch against it, Narang said.

“Zero-days are considered the jewels of the pack,” Narang says. “But in this case [the attackers] are using an outdated vulnerability that has been already patched.”

It underscores how criminal hackers, when developing exploits for new campaigns, have an expectation that a lot of people are going to be running unpatched software, he says. While zero-day exploits are much more valuable from a hacker standpoint they are also more costly to discover and use than attacks targeting older flaws. So cyber criminals have a tendency to exploit old flaws where they can, Narang said.

The Laziok campaign shows why attack tools and exploits matter less than victim targeting and the economics of the attack campaign, said Philip Lieberman, president of Lieberman Software.

“Just as a company looks at the ROI of their offerings, attackers attempt to use the most inexpensive tools possible to achieve the greatest ROI,” he said in emailed comments. The attack takes advantage of the failure by many organizations in the oil and gas industry to keep their Windows software environment properly patched, he said.

“The attack points out the lack of general preparation of cyber-defense teams in many areas of the oil and gas industry worldwide.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.