Hackers latest exploit "Operation Hangover"

On November 5, Microsoft Windows and Office vulnerability that came to light is the Microsoft Graphics component that affects Windows, Microsoft Office and Microsoft Lync: the Multiple Microsoft Products Remote Code Execution Vulnerability (CVE-2013-3906).

Early research into the zero-day exploit detected only highly targeted attacks on individuals or companies that were mostly located in the Middle East and South Asia. More often than not, the word "targeted" is used to describe espionage campaigns aimed a particular company or industry.

The researchers have uncovered evidence that the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync—is also being targeted in wider-ranging hacking campaigns being carried out by multiple gangs, including one made up of financially motivated criminals.

Recently discovered attacks are being carried out by the same India-based group behind Operation Hangover, a malware campaign first detected earlier this year, researchers from security firm FireEye wrote in a recent blog post.

Microsoft has yet to release a patch for this vulnerability, it has provided a temporary "Fix It” tool as a workaround until a security update is made available. To ensure that Symantec customers are protected from attacks using this zero-day vulnerability, the following protection is being released:

Antivirus

• Trojan.Hantiff
• Bloodhound.Exploit.525

Intrusion Prevention System

• Web Attack: Microsoft Office RCE CVE-2013-3906_2

The attacks Symantec captured used malicious Word documents attached to emails with subject headings such as "Illegal Authorization for Funds Transfer" and "Problem with Credit September 26th 2013."

Symantec said this is the first time that the Hangover group has used a zero-day vulnerability in its attacks. Symantec has protection in place for the threats used in this latest wave of the Operation Hangover campaign as Trojan.Mdropper, Downloader and Infostealer. To allow customers to identify this attack, we are mapping the latest components of the Operation Hangover campaign to Trojan.Smackdown.B and Trojan.Hangove.B. 

The Microsoft blog post states that this vulnerability is being actively exploited in targeted attacks using crafted Word documents sent in emails. Symantec’s research into the exploitation of this zero-day flaw in the wild has shown that our Symantec.Cloud service preemptively blocks emails sent as part of this attack. Here are some examples of the email subject headings and the attached files’ names seen in the attack:

File name: Details_Letter of Credit.doc

Email subject: Illegal Authorization for Funds Transfer

File name: Missing MT103 Confirmation.docx

Email subject: Problem with Credit September 26th 2013

File name: Illegality_Supply details.docx

Email subject: Illegal Authorization for Funds Transfer

After analyzing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover, which we covered back in May 2013 in the blog post: Operation Hangover: Q&A on Attacks. At that time, the group behind these attacks was known to have used multiple vulnerabilities, but was not known to have used any zero-day flaws in the attacks. As predicted in our previous blog post, the exposure of Operation Hangover would not adversely affect the activities of the group orchestrating the campaign, which can be clearly seen now with these latest activities involving the zero-day vulnerability. 

The Hangover group was previously linked to a sophisticated targeted attack launched from India ultimately designed to steal information from a range of government and private enterprise victims in Pakistan, China and elsewhere. The cyber-espionage campaign was pieced together by Norwegian antivirus firm Norman in the course of its investigation into a cyber attack against Norwegian telco Telenor.