Microsoft said the Windows zero-day is being actively exploited by the same APT group that is responsible for the DNC hack.
Microsoft issued a warning about the APT group most commonly known as “Fancy Bear,” or APT 28, and how it is exploiting the zero-day disclosed by Google on Halloween.
Microsoft does not call the APT group “Fancy Bear” as its codename for the threat group is STRONTIUM. Terry Myerson, executive vice president of Microsoft’s Windows and Devices Group, wrote:
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
A patch is coming, but not an out-of-band fix; Microsoft will release the patch when it normally releases all security updates, on Patch Tuesday, which also happens to be Election Day—Nov. 8.
Until then, Microsoft advised using Windows 10 and enabling Windows Defender Advanced Threat Protection (ATP), as it “will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.”
“Microsoft has attributed more zero-day exploits to STRONTIUM than any other tracked group in 2016,” Myerson added. He explained that STRONTIUM usually compromises email accounts and then sends malicious emails from those accounts to other targets. The group “will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.”
Fancy Bear must complete three steps to successfully pwn a target. Exploit Flash and then a kernel elevation of privilege flaw, which is in every supported version of Windows. However, Myerson noted that Microsoft implemented mitigations in Windows 10 Anniversary Update, which should “stop all observed in-the-wild instances of this exploit.” Otherwise, once Fancy Bear has achieved EoP, “a backdoor is downloaded, written to the file system and executed into the browser process.”
Microsoft couldn’t resist remarking upon responsible disclosure and its disappointment in Google: “We believe responsible technology industry participation puts the customer first and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing and puts customers at increased risk.”
Article credit: http://www.networkworld.com/article/3137964/security/microsoft-windows-0-day-exposed-by-google-is-being-exploited-by-russian-dnc-hackers.html
President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.