Cyberespionage Group Abuses LoJack Theft Recovery Software

Security researchers have found instances of the Absolute LoJack theft recovery technology phoning back to servers associated with a notorious Russian cyberespionage group known as Fancy Bear.

Absolute LoJack, previously known as Computrace, is a highly persistent software that’s preloaded on many laptops. Once enabled, it allows laptop owners to remotely locate, lock and wipe their devices in case they’re stolen.

The technology stands apart because it has components embedded in BIOS/UEFI firmware through partnerships with computer manufacturers. This means that it survives even OS reinstalls and hard disk drive replacements.

The BIOS/UEFI component injects a small software agent into Windows and registers it as a system service. This service then connects to a remote server controlled by Absolute Software and installs the theft recovery agent.

Security researchers from Netscout’s Arbor division have come across five instances of the LoJack software agent that were communicating with four suspicious domain names, three of which have been associated in the past with Fancy Bear’s cyberespionage operations.

In 2014, security researchers from Kaspersky Lab published a paper showing how Absolute’s Computrace technology could be abused to serve as a backdoor. They pointed out that its small Windows software agent could easily be modified to make it connect to a rogue server.

“The protocol used by the Small Agent provides the basic feature of remote code execution,” the researchers warned in a blog post at the time. “The protocol doesn’t use any encryption or authorization with the remote server, which creates numerous opportunities for remote attacks in a hostile network environment.”

It seems that four years later, cyberespionage groups are taking advantage of this powerful functionality that’s present on many devices and is both persistent and stealthy.

The LoJack agent is whitelisted by default by many antivirus programs, and those that do detect it flag it as “not-a-virus” or “Risk Tool” instead of malware. LoJack users who willingly turned on the feature on their computers are also likely to have whitelisted the agent in their security products.

“With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent,” the Netscout researchers said. “The attacker simply needs to stand up a rogue C2 [command-and-control] server that simulates the Lojack communication protocols. Finally, Lojack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C2 server.”

The Netscout report contains file signatures for the rogue LoJack samples as well as domain names and other indicators of compromise. The company has also provided a YARA signature that organizations can use to detect the agent on their computers and block its communications with malicious domains.

Cisco Patches Another Critical Vulnerability in WebEx

Cisco Systems has patched another critical vulnerability in its WebEx client software that could be exploited to execute malicious code on computers.

Cisco WebEx is one of the most widely used web conferencing software in business environments. It has cloud-hosted solutions in the form of Cisco WebEx Business Suite (WBS) and Cisco WebEx Meetings and a self-hosted solution called the Cisco WebEx Meetings Server.

Users who attend WebEx meetings have to install a software client on their computers that’s offered by the WebEx server hosting the meeting. Special media players can also be installed alongside the clients when users attempt to play back meeting recordings.

The newly patched vulnerability is located in one such player called the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF).

“An attacker could exploit this vulnerability by sending the user a link or email attachment with a malicious ARF file and persuading the user to follow the link or open the file,” Cisco warns in its advisory. “Successful exploitation could allow the attacker to execute arbitrary code on the user’s system.”

The company advises customers to upgrade to Cisco WebEx Business Suite (WBS31) client build T31.23.4, Cisco WebEx Business Suite (WBS32) client build T32.12, Cisco WebEx Meetings client build T32.12 and Cisco WebEx Meeting Server 3.0 Patch 1.

This is the second remote code execution vulnerability fixed in WebEx client software over the course of one month, so it’s probably best for users who don’t need this software on an ongoing basis to remove it from their computers.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin