Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

HangOver Malicious Software Used in Targeted Attacks

 
Threat Type:IntelliShield: Security Activity Bulletin
IntelliShield ID:29383
Version:1
First Published:2013 May 20 20:02 GMT
Last Published:2013 May 20 20:02 GMT
Port: Not available
Urgency:Possible use
Credibility:Highly Credible
Severity:Mild Damage
 
Version Summary:Researchers have identified malicious software used in targeted attacks against government national security organizations and private commercial organizations.
 

Description
 
Researchers from the security firm Norman have released a report detailing malicious software used in targeted attacks against national security infrastructure and operations in Pakistan, Iran, and the United States, along with other private industries, such as food service, manufacturing, and telecommunications, in attempts to monitor national security operations and steal trade secrets. The sources of the attacks, the malicious software, and the related command-and-control systems are thought to originate from private organizations in India that are unrelated to state or government organizations. Attacks may have begun in September 2010, and elements of the malicious software may have persisted in some environments for months or years.

The HangOver malicious software, also known as Hanove, is distributed mainly through targeted spear-phishing e-mail campaigns. Websites and e-mail messages related to the spear-phishing campaigns contain sophisticated, relevant, and timely cultural and religious content, making users more likely to trust e-mail messages, websites, and links.

HangOver exploits known vulnerabilities for which patches exist. These vulnerabilities are in client applications such as Oracle Java, Microsoft Word, and web browsers. Notably, the malicious software targets the following documented vulnerabilities: IntelliShield Alert 25557 (CVE-2012-0158), IntelliShield Alert 27711 (CVE-2012-4792), and IntelliShield Alert 27845 (CVE-2013-0422).

Once on a system, the malicious software contacts a sophisticated command-and-control infrastructure hosted in India, uploads information about the infected system, and downloads and installs additional malicious software. HangOver persists on the system, scans the system for document files, and uploads those files to command-and-control servers using FTP or HTTP. Requests to command-and-control servers use obfuscated or encoded content in an attempt to bypass egress filtering.

Norman has released the research report publicly at the following link: The Hangover Report

Administrators may consider searching system and access logs for domain names, IP addresses, and MD5 hashes detailed in the Norman report to determine whether the malicious software has infected systems in internal networks.

Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield