‘Operation Hangover’ hackers exploit latest Windows zero-day
Indian gang ups its game with targeted attacks that rely on malicious Word docs
By Gregg Keizer
November 7, 2013 10:47 AM ET
Computerworld – The unpatched vulnerability in Windows that Microsoft acknowledged on Tuesday has been used by a known Indian hacker group responsible for earlier "Operation Hangover" attacks, security company Symantec said yesterday.
The gang behind Operation Hangover is believed to be based in India, and the bulk of the first round of cyber-espionage attacks, which were discovered in May, were aimed at its neighbor and long-time adversary Pakistan.
"After analyzing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover," Symantec said in a blog, referring to the newest campaign that relies on the Microsoft zero-day vulnerability to hijack and infect Windows PCs.
Microsoft issued a security alert Tuesday, saying that a vulnerability in the TIFF image-format parsing component of Windows was being exploited in attacks aimed at targets in the Middle East and South Asia, the latter region representing countries like India and Pakistan.
The attacks Symantec captured used malicious Word documents attached to emails with subject headings such as "Illegal Authorization for Funds Transfer" and "Problem with Credit September 26th 2013."
It was the first time that the Hangover group has used a zero-day vulnerability in its attacks, Symantec said.
Researcher Haifei Li of security company McAfee was the first to find and report the unpatched bug to Microsoft. The Redmond, Wash., company’s security team was alerted of the vulnerability Oct. 31.
According to Li, the exploit uses multiple XML objects to "spray the heap memory," a technique more than a decade old, to uncover sections of memory suitable for use by the actual attack code.
"It is worth [noting] that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we [haven’t] seen before," Li wrote earlier this week.
Microsoft’s own researchers confirmed the ActiveX-based head-spray tactic in a detailed description published on its Security Research & Defense blog Tuesday.
This article, ‘Operation Hangover’ hackers exploit latest Windows zero-day, was originally published at Computerworld.com.