Moonlight Maze Attack Still Relevant Two Decades After Initial Debut

A cyber-attack that was first active in 1996 under the name Moonlight Maze, could well still be active today, 20 years after it first appeared, according to new research conducted by Kaspersky Lab and Kings College London researchers.

The original Moonlight Maze attack impacted the Pentagon, NASA and the U.S. Department of Energy. The attack made use of an intricate set of network proxies in order to stay hidden from both defenders as well as security researchers. In 2016, researcher Thomas Rid of Kings College London was able to find a system administrator whose  servers had been used as a Moonlight Maze proxy.

The system administrator actually had copies of log data from the compromised Moonlight Maze proxy host and he gave the information to Kings College and Kaspersky Lab, where it was analyzed. The analysis has led the researchers to the conclusion that code from Moonlight Maze has been used in more recent attacks, including the Turla advanced persistent threat (APT).

Moonlight Maze

In particular, there is a variant of the attack known as Penquin Turla which makes use of a specific type of backdoor code, called LOKI2, that was also a core element of Moonlight Maze attack code.

“We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks,” Juan Andres Guerrero-Saade, senior security researcher, Global Research and Analysis Team at Kaspersky Lab, said in a statement. “The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere. It’s up to us to defend systems with skills to match.”

Security professionals contacted by eWEEK were not all that surprised by Kaspersky’s Midnight Maze disclosure.

Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company, commented that the linkage of the Moonlight Maze attack to more modern APTs should come as no surprise to anyone in the security field.

“While the spotlight is often put upon the latest and greatest attacks, the truth is that all attacks typically take advantage of the same sorts of vulnerabilities and exploits which are not getting fixed,” Wenzler told eWEEK. “Cyber-criminals are always going to follow the path of least resistance, so, it’s far easier to piggyback off an existing attack then to try and find a wholly new attack vector.”

Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defence solutions, also isn’t surprised at Kaspersky’s disclosure either, as code re-use is not uncommon.

“What I do appreciate is that code from 20 years ago is still finding a home,” Robert said. “It’s also a sad, but accurate, fact that 20 year old code can still break into things.”

From a defensive perspective, Brian Vecci, Technical Evangelist at insider threat protection vendor Varonis, commented that as long as data has value, it will always be a target for theft or abuse. He suggests that organizations focus on the data that poses the biggest risk for theft or abuse, instead of focusing on the threats.

“When organizations begin operating as if they are already breached, then they start asking the right questions about their data and how to protect it,” Vecci said. “Organizations should put a micro-perimeter around their sensitive data and monitor and flag for anomalous behavior—like data access and exfiltration.”

Originally published on eWeek

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago