Moonlight Maze Attack Still Relevant Two Decades After Initial Debut

Attack code first used in 1996 is still in use by attackers building malware in 2017, according to new research from Kaspersky Lab and Kings College London

A cyber-attack that was first active in 1996 under the name Moonlight Maze, could well still be active today, 20 years after it first appeared, according to new research conducted by Kaspersky Lab and Kings College London researchers.

The original Moonlight Maze attack impacted the Pentagon, NASA and the U.S. Department of Energy. The attack made use of an intricate set of network proxies in order to stay hidden from both defenders as well as security researchers. In 2016, researcher Thomas Rid of Kings College London was able to find a system administrator whose  servers had been used as a Moonlight Maze proxy.

The system administrator actually had copies of log data from the compromised Moonlight Maze proxy host and he gave the information to Kings College and Kaspersky Lab, where it was analyzed. The analysis has led the researchers to the conclusion that code from Moonlight Maze has been used in more recent attacks, including the Turla advanced persistent threat (APT).

malware museum


Moonlight Maze

In particular, there is a variant of the attack known as Penquin Turla which makes use of a specific type of backdoor code, called LOKI2, that was also a core element of Moonlight Maze attack code. 

“We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks,” Juan Andres Guerrero-Saade, senior security researcher, Global Research and Analysis Team at Kaspersky Lab, said in a statement. “The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere. It’s up to us to defend systems with skills to match.”

Security professionals contacted by eWEEK were not all that surprised by Kaspersky’s Midnight Maze disclosure.

Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company, commented that the linkage of the Moonlight Maze attack to more modern APTs should come as no surprise to anyone in the security field. 

“While the spotlight is often put upon the latest and greatest attacks, the truth is that all attacks typically take advantage of the same sorts of vulnerabilities and exploits which are not getting fixed,” Wenzler told eWEEK. “Cyber-criminals are always going to follow the path of least resistance, so, it’s far easier to piggyback off an existing attack then to try and find a wholly new attack vector.”

Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defence solutions, also isn’t surprised at Kaspersky’s disclosure either, as code re-use is not uncommon. 

“What I do appreciate is that code from 20 years ago is still finding a home,” Robert said. “It’s also a sad, but accurate, fact that 20 year old code can still break into things.”

From a defensive perspective, Brian Vecci, Technical Evangelist at insider threat protection vendor Varonis, commented that as long as data has value, it will always be a target for theft or abuse. He suggests that organizations focus on the data that poses the biggest risk for theft or abuse, instead of focusing on the threats. 

“When organizations begin operating as if they are already breached, then they start asking the right questions about their data and how to protect it,” Vecci said. “Organizations should put a micro-perimeter around their sensitive data and monitor and flag for anomalous behavior—like data access and exfiltration.”

Originally published on eWeek