Microsoft issued a warning about the APT group most commonly known as “Fancy Bear,” or APT 28, and how it is exploiting the zero-day disclosed by Google on Halloween.
Microsoft agreed that the zero-day is being actively exploited and pointed a finger of blame at a hacking group that is believed to be tied to the Russian government; the same group is believed to be responsible for hacks that resulted in data breaches at the Democratic National Committee and the Clinton campaign.
Microsoft does not call the APT group “Fancy Bear” as its codename for the threat group is STRONTIUM. Terry Myerson, executive vice president of Microsoft’s Windows and Devices Group, wrote:
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
A patch is coming, but not an out-of-band fix; Microsoft will release the patch when it normally releases all security updates, on Patch Tuesday, which also happens to be Election Day—Nov. 8.
Until then, Microsoft advised using Windows 10 and enabling Windows Defender Advanced Threat Protection (ATP), as it “will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.”
“Microsoft has attributed more zero-day exploits to STRONTIUM than any other tracked group in 2016,” Myerson added. He explained that STRONTIUM usually compromises email accounts and then sends malicious emails from those accounts to other targets. The group “will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.”
Fancy Bear must complete three steps to successfully pwn a target. Exploit Flash and then a kernel elevation of privilege flaw, which is in every supported version of Windows. However, Myerson noted that Microsoft implemented mitigations in Windows 10 Anniversary Update, which should “stop all observed in-the-wild instances of this exploit.” Otherwise, once Fancy Bear has achieved EoP, “a backdoor is downloaded, written to the file system and executed into the browser process.”
Microsoft couldn’t resist remarking upon responsible disclosure and its disappointment in Google: “We believe responsible technology industry participation puts the customer first and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing and puts customers at increased risk.”
Google’s disclosure came seven days after notifying Microsoft, but before Microsoft patched. Adobe released security updates for Flash Player on October 26. Google believed going public was the right thing to do, saying, “This vulnerability is particularly serious because we know it is being actively exploited.”
Both companies say using their browsers, Chrome on Windows 10 or Microsoft’s Edge on Windows 10 Anniversary Update, should protect you from a successful attack.