HangOver Malicious Software Used in Targeted Attacks
IntelliShield: Security Activity Bulletin
2013 May 20 20:02 GMT
2013 May 20 20:02 GMT
Researchers have identified malicious software used in targeted attacks against government national security organizations and private commercial organizations.
Researchers from the security firm Norman have released a report detailing malicious software used in targeted attacks against national security infrastructure and operations in Pakistan, Iran, and the United States, along with other private industries, such as food service, manufacturing, and telecommunications, in attempts to monitor national security operations and steal trade secrets. The sources of the attacks, the malicious software, and the related command-and-control systems are thought to originate from private organizations in India that are unrelated to state or government organizations. Attacks may have begun in September 2010, and elements of the malicious software may have persisted in some environments for months or years.
The HangOver malicious software, also known as Hanove, is distributed mainly through targeted spear-phishing e-mail campaigns. Websites and e-mail messages related to the spear-phishing campaigns contain sophisticated, relevant, and timely cultural and religious content, making users more likely to trust e-mail messages, websites, and links.
HangOver exploits known vulnerabilities for which patches exist. These vulnerabilities are in client applications such as Oracle Java, Microsoft Word, and web browsers. Notably, the malicious software targets the following documented vulnerabilities: IntelliShield Alert 25557 (CVE-2012-0158), IntelliShield Alert 27711 (CVE-2012-4792), and IntelliShield Alert 27845 (CVE-2013-0422).
Once on a system, the malicious software contacts a sophisticated command-and-control infrastructure hosted in India, uploads information about the infected system, and downloads and installs additional malicious software. HangOver persists on the system, scans the system for document files, and uploads those files to command-and-control servers using FTP or HTTP. Requests to command-and-control servers use obfuscated or encoded content in an attempt to bypass egress filtering.
Administrators may consider searching system and access logs for domain names, IP addresses, and MD5 hashes detailed in the Norman report to determine whether the malicious software has infected systems in internal networks.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
The security vulnerability applies to the following combinations of products.
Security Activity Bulletin
Original Release Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.