All the latest UK technology news, reviews and analysis


Microsoft Office, Windows Server and Lync exploits linked to Operation Hangover hackers

07 Nov 2013
Security padlock image

Security experts have linked recent targeted attacks hitting Microsoft's Office, Lync and Windows Server services to two groups of hackers.

FireEye researchers have linked the attacks to the group behind the notorious Operation Hangover attacks and a new criminal cyber-cartel codenamed Arx.

"A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover," FireEye disclosed in a post on its blog.

"However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did."

The attacks were revealed by Microsoft's Trustworthy Computing (TwC) division on Wednesday. Microsoft has since released a temporary fix for the vulnerabilities while it works on a more permanent solution.

The FireEye researchers said the two groups had very different motives and goals when targeting the exploits. The use of the exploits by the Hangover hackers is believed to be a simple extension of the group's previous information-stealing activities.

"Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan," FireEye said.

"It appears that when the target systems successfully checked in to the CnC server, the server could push down an executable file to be executed on the targeted system. The result of that action was recorded in Result.txt.

"We obtained a number of these second-stage executables listed in the Result.txt output from a Hangover-linked CnC server. These executables included a variety of tools including a reverse-shell backdoor, a keylogger, a screenshot grabber and a document exfiltration tool."

Operation Hangover was uncovered in May, when security researchers spotted a number of data-stealing attacks targeting the Apple Mac OS X operating system. The campaign targeted numerous big-name companies including Norwegian telecommunications provider Telenor.

The Arx Group by contrast was listed as having more basic criminal goals. "Malware linked to the Arx group is usually sent out in [fake] ‘Swift Payment' emails. These emails are common in spam campaigns and typically drop banking Trojans and other crimeware," read the FireEye post.

FireEye's findings have been supported by other security providers. Competitor Symantec reported uncovering similar evidence linking the attacks to the Hangover group in a blog post. "After analysing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover," read the post.

Targeted attacks have been a growing problem facing the security community, which has led many government agencies and security providers to call for increased attack data-sharing between businesses.

Symantec pledged to create a new centralised information-sharing big data hub to help customers spot and pre-empt custom-built malware used in targeted attacks at the RSA Conference held in Amsterdam in October.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Green IT poll

How important is it to your business that a cloud provider uses renewable energy like solar or wind to power their data centres?
22%
6%
3%
2%
67%

Popular Threads

Powered by Disqus
Galaxy S5 vs Nexus 5 head to head review front

Galaxy S5 vs Nexus 5 video review

We compare Samsung and Google's top devices

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Senior Test Analyst - Nottingham

Role - Senior Test Analyst Location - Nottingham, East...

Service Delivery Manager / Support Operations Manager

Service Delivery Manager / Support Operations Manager...

FICO Business Analyst

SAP FICO Business Analyst required for a large international...

Client-Side web developer (JQuery, Javascript, UI, JMX, FIX)

Client-Side web developer (JQuery, Javascript, UI, JMX...
To send to more than one email address, simply separate each address with a comma.