Despite all the attention paid to zero-day bugs and sophisticated new attack techniques, criminal hackers often exploit old vulnerabilities where they can in order to gain access to an enterprise network or system.
The latest case in point is Trojan Laziok, a malware tool that exploits a three-year old Windows vulnerability to gain access to systems belonging to energy companies in the Middle East and, to a lesser extent, other regions of the world. Roughly 10 percent of the malware’s victims are based in the US and UK.
Security researchers at Symantec described the malware as a reconnaissance tool that allows attackers to gather data from compromised computers and use the information to make decisions on whether to carry out or drop further attacks against the systems.
Laziok is designed to collect system configuration data such as computer name, installed software, memory, hard disk size, and type of antivirus software installed on the system.
It is also designed to drop customized copies of Backdoor. Cyberat and Trojan.Zbot, two well-known data stealers, on systems that are identified by the attackers as being worthy of further compromise. “We observed that the threats were downloaded from a few servers operating in the US, UK, and Bulgaria,” Symantec security researcher Christian Tripputi said in the blog post describing the Trojan.
Companies targeted by the Trojan were mostly in the petroleum, gas, and helium industries, suggesting that the attackers have a strategic interest in the energy sector, Tripputi said.
What makes Laziok interesting is that it exploits a software flaw for which a patch was available back in 2012, says security researcher Satnam Narang.
Laziok arrives as a malicious attachment in spam emails purporting to be from the moneytran.eu domain. The attachment contains an exploit for a remote, code execution vulnerability in a Windows ActiveX Control.
The flaw was first disclosed three years ago in April 2012 and was patched shortly thereafter. It was exploited in multiple previous attack campaigns including Red October, a sophisticated cyberespionage campaign against numerous government, diplomatic, and research organizations worldwide.
Despite the attention focused the flaw, Laziok has shown that many organizations have yet to patch against it, Narang said.
“Zero-days are considered the jewels of the pack,” Narang says. “But in this case [the attackers] are using an outdated vulnerability that has been already patched.”
It underscores how criminal hackers, when developing exploits for new campaigns, have an expectation that a lot of people are going to be running unpatched software, he says. While zero-day exploits are much more valuable from a hacker standpoint they are also more costly to discover and use than attacks targeting older flaws. So cyber criminals have a tendency to exploit old flaws where they can, Narang said.
The Laziok campaign shows why attack tools and exploits matter less than victim targeting and the economics of the attack campaign, said Philip Lieberman, president of Lieberman Software.
“Just as a company looks at the ROI of their offerings, attackers attempt to use the most inexpensive tools possible to achieve the greatest ROI,” he said in emailed comments. The attack takes advantage of the failure by many organizations in the oil and gas industry to keep their Windows software environment properly patched, he said.
“The attack points out the lack of general preparation of cyber-defense teams in many areas of the oil and gas industry worldwide.”