Microsoft Says Russian DNC Hackers Targeted Zero-Day Flaws

Anti-Malware , Fraud , Phishing

Google Detailed Bugs Targeted by 'Fancy Bear' Before Windows Patch Prepped Microsoft Says Russian DNC Hackers Targeted Zero-Day Flaws

Microsoft says a zero-day flaw in Windows that was publicly revealed by Google - before a patch was ready - was being exploited by Russian hackers via spear-phishing attacks.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

"This attack campaign, originally identified by Google's Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers," Terry Myerson, Microsoft's executive vice president of the Windows and Devices Group, says in a Nov. 1 blog post.

Attackers have been using malicious code to exploit the Adobe flaws and gain control of the browser process, exploiting the Windows kernel bug - present in Windows Vista to Windows 10 - to gain elevation of privileges, then installing a backdoor providing persistent access to the infected PC, Microsoft says.

The attacks were launched by the Russian hacking group variously known as APT28, Fancy Bear, Sofacy or Strontium, Microsoft says. Many security firms suspect the group tied to the Russian military intelligence agency known as the GRU. The group has been tied to attacks against the Democratic National Committee, amongst many others. The group's DNC attack and other hacks led the White House to formally accuse the Russian government of attempting to interfere in U.S. elections.

"Microsoft has attributed more 0-day exploits to Strontium than any other tracked group in 2016," Myerson says.

Flaw Revealed Before Patch Prepped

Microsoft says it plans to release a patch for the flaw as part of its next, regularly scheduled release of software and security updates, on Nov. 8.

"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," Myerson says. "Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov. 8."

Google says it first alerted Microsoft and Adobe to the flaw on Oct. 21. The search giant says it gives vendors seven days to either acknowledge a flaw or release a patch, if the flaw is being targeted via in-the-wild attacks. In this case, it described the flaw as being "critical" and posing a "particularly serious" risk to users.

Adobe on Oct. 26 issued a new version of Flash that includes a patch for the exploited vulnerability, designated CVE-2016-7855. It said exploits for the flaw were "being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10."

Microsoft has continued to criticize Google for publicizing the flaw before a full Windows flaw was ready, especially since Adobe's Flash patch would have blocked this particular spear-phishing campaign.

"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," Myerson says. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

The operational security expert known as the Grugq has also criticized Google's moves via Twitter. "It was absolutely critical that everyone not specifically targeted by GRU get exposed to every other threat actor instead. Disclosure works!"

He suggests the bug disclosure - before the flaw has been fully patched - would do nothing to deter the original attackers' exploits against high-value targets, while giving other attackers - intelligence agencies, cybercrime syndicates - a new tool for their attacks.

Giving everyone who isn't GRU the chance to recreate the exploit and use it before there is a patch. I feel safer already. Thanks guys!

Windows 10 Anniversary Update Blocks Exploits

One upside for anyone using the Windows 10 Anniversary Update version - released in August - together with the Microsoft Edge browser, is that they're protected against this attack campaign, even though the flaw still exists in the latest build of Windows 10, Microsoft says. "Prior to this attack, Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component," Myerson says. "These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit."

Microsoft has used the incident to urge all Windows users to upgrade to Windows 10. "To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we've ever built," Myerson says. He adds that anyone who enabled the built-in Windows Defender Advanced Threat Protection feature would have enabled the OS to also detect and block related attacks.