Attacks linked to strikes on Pakistani government bodies
Attackers have sent out emails requesting targets open a special-crafted Word attachment that initiates an exploit using a malformed graphics image, or TIFF file, embedded in the document.
Microsoft said it had seen attacks in the Middle East and South Asia, saying hackers could use the flaw to gain the same rights as a logged-in user.
But AlienVault Labs was more specific in its findings, saying it saw lure documents for the zero-day providing information on the Pakistan Intelligence service (Inter-Services Intelligence or ISI) and the Pakistani military.
“Based on the victim information we could retrieve from the C&C server we can confirm that most of IP addresses communicating with the C&C server are based on Pakistan,” wrote Jaime Blasco, head of AlienVault Labs.
Different kinds of payload were delivered on to target machines, communicating over HTTP with the same command and control servers.
The attack traffic seen by AlienVault was similar to that seen in Operation Hangover, which also saw a host of Pakistani government organisations targeted.
Microsoft has issued a “Fix it” solution for the zero-day, effectively preventing the rendering of TIFF images, which might not be ideal for graphics specialists fond of TIFFs.
But the company has also recommended customers use the Enhanced Mitigation Experience Toolkit (EMET). “This will help prevent exploitation by providing mitigations to protect against the issue and should not affect usability of any programs,” said Dustin Childs, Microsoft’s group manager for the Trustworthy Computing Group.
Customers using Microsoft Windows XP, Vista and Windows Server 2008 are affected, if they’re running Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync.
To learn more about Microsoft’s fix, head to its advisory here.
Are you a security expert? Try our quiz!