Stuxnet LNK Exploits Still Widely Circulated

Endpoints are still encountering exploits for the LNK vulnerability, one of the principal infection mechanisms used by the Stuxnet worm.

One of the alleged mandates around the development of the Stuxnet worm was that malware’s numerous components—which included a handful of zero days—should never escape the Natanz uranium enrichment facility in Iran. Eight years later, evidence continues to mount as to how that mandate was categorically not met.

Kaspersky Lab today released a report on exploits in the wild that indicates that endpoints are still running head-on into exploits for the since-patched LNK vulnerability (CVE-2010-2568), almost two times more in 2016 than the next most prevalent exploit in circulation, Lotoor, which roots Android devices. In 2016, the Kaspersky report says, exploits for the LNK vulnerability (25 percent) and Lotoor (16 percent) account for 41 percent of exploits encountered by users. While these numbers are down from 2015 (27 percent and 11 percent respectively), the LNK exploit appears to be hanging around for the foreseeable future.

“This may be due to the fact that malware that uses these exploits have a self-replicating feature, constantly recreating themselves in the attacked network where vulnerable computers are installed,” Kaspersky Lab said in its report.

The LNK exploit was just part of the Stuxnet attacks on Natanz, which targeted not only Windows machines running in the facility, but primarily Siemens programmable logic controllers managing centrifuges used to enrich uranium to support Iran’s nuclear efforts. Exploits revolved around maliciously crafted .LNK files that were not processed securely as Windows Explorer icons were displayed. Successful exploits allowed the attackers to execute code in the Windows shell on vulnerable machines.

LNK files define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.

While Microsoft quickly patched the vulnerability once it was disclosed in 2010, it was reported five years later that the original patches were incomplete, forcing Microsoft to release an update bulletin with new patches.

The Kaspersky report, meanwhile, demonstrates the value of reliable exploits to attackers. Many of the exploits called out in the report are not flashy unpatched zero-days, but instead have some mileage on them. While exploit kits dropped off the lists of top threats, venerable standbys such as CVE-2012-0158 in Office and CVE-2014-2423 in Java continue to draw the attention of exploit writers.

The widespread disappearance of exploit kits—largely because of the arrest of the criminals behind Angler—has forced criminals to return to email-based attacks with macro-based malware buried inside Office attachments, now a top vehicle for malware delivery.

For example, attacks against browser and Windows vulnerabilities dropped 33.4 percent and 21.5 percent respectively from 2015 to 2016, Kaspersky said, while Office exploits rose 103 percent. While exploits against Adobe Flash and Android rose last year, Java and Adobe Reader exploits joined browsers and Windows on the negative side.

Kaspersky Lab said the number of browser vulnerabilities overall dropped 8 percent last year, while disclosed Office bugs went up 20 percent.

Other noteworthy data points from the report include:

  • Kaspersky said it blocked 702 million attacks using an exploit in 2016, up 24 percent from 2015
  • Corporate users encountering attacks using exploits increased 28 percent
  • 70 percent of users encountered browser, Windows, Android or Office exploits
  • Russian-speaking APT Sofacy has used six zero-day exploits and 25 vulnerabilities overall; Equation Group has used eight zero days, and 17 vulnerabilities
  • 15 percent of computers in Europe and North America are still vulnerable to CVE-2012-0158

Suggested articles