Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

4/1/2015
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Laziok Trojan Exploits Three Year-Old Windows Flaw

Data-stealing malware relies on old bug to break into systems at energy companies.

Despite all the attention paid to zero-day bugs and sophisticated new attack techniques, criminal hackers often exploit old vulnerabilities where they can in order to gain access to an enterprise network or system.

The latest case in point is Trojan Laziok, a malware tool that exploits a three-year old Windows vulnerability to gain access to systems belonging to energy companies in the Middle East and, to a lesser extent, other regions of the world. Roughly 10 percent of the malware’s victims are based in the US and UK.

Security researchers at Symantec described the malware as a reconnaissance tool that allows attackers to gather data from compromised computers and use the information to make decisions on whether to carry out or drop further attacks against the systems.

Laziok is designed to collect system configuration data such as computer name, installed software, memory, hard disk size, and type of antivirus software installed on the system.

It is also designed to drop customized copies of Backdoor. Cyberat and Trojan.Zbot, two well-known data stealers, on systems that are identified by the attackers as being worthy of further compromise. “We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria,” Symantec security researcher Christian Tripputi said in the blog post describing the Trojan.

Companies targeted by the Trojan were mostly in the petroleum, gas, and helium industries, suggesting that the attackers have a strategic interest in the energy sector, Tripputi said.

What makes Laziok interesting is that it exploits a software flaw for which a patch was available back in 2012, says security researcher Satnam Narang.

Laziok arrives as a malicious attachment in spam emails purporting to be from the moneytran.eu domain. The attachment contains an exploit for a remote, code execution vulnerability in a Windows ActiveX Control.

The flaw was first disclosed three years ago in April 2012 and was patched shortly thereafter. It was exploited in multiple previous attack campaigns including Red October, a sophisticated cyberespionage campaign against numerous government, diplomatic, and research organizations worldwide.

Despite the attention focused the flaw, Laziok has shown that many organizations have yet to patch against it, Narang said.

“Zero-days are considered the jewels of the pack,” Narang says. “But in this case [the attackers] are using an outdated vulnerability that has been already patched.”

It underscores how criminal hackers, when developing exploits for new campaigns, have an expectation that a lot of people are going to be running unpatched software, he says. While zero-day exploits are much more valuable from a hacker standpoint they are also more costly to discover and use than attacks targeting older flaws. So cyber criminals have a tendency to exploit old flaws where they can, Narang said.

The Laziok campaign shows why attack tools and exploits matter less than victim targeting and the economics of the attack campaign, said Philip Lieberman, president of Lieberman Software.

“Just as a company looks at the ROI of their offerings, attackers attempt to use the most inexpensive tools possible to achieve the greatest ROI,” he said in emailed comments. The attack takes advantage of the failure by many organizations in the oil and gas industry to keep their Windows software environment properly patched, he said.

“The attack points out the lack of general preparation of cyber-defense teams in many areas of the oil and gas industry worldwide.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12162
PUBLISHED: 2019-07-23
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
CVE-2018-18669
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2019-10101
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
CVE-2019-9815
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
CVE-2019-9816
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...