PINDROP BLOG

Microsoft Says Russian Group Exploiting Windows Zero Day

Microsoft’s security team says the zero-day vulnerability in Windows discovered by Google researchers recently is being exploited by an attack group that has been linked to the hacks of the Democratic National Committee and other political targets in the United States.

The group, which Microsoft calls Strontium, has been linked to Russia and Microsoft officials said it has been seen actively exploiting a use-after-free vulnerability in the Windows kernel that is still unpatched right now. Google researchers discovered the bug, along with a critical flaw in Adobe Flash, last month and disclosed the flaws to the two vendors. Adobe patched the Flash vulnerability in late October, but Microsoft has not yet released a fix for the Windows bug.

Google disclosed some limited details of the Microsoft vulnerability last week, with the reasoning that the flaw was being actively exploited. On Tuesday, Microsoft officials said the attacks are using both the Flash bug and the Windows bug in highly targeted attacks.

“This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities.”

“Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers,” Terry Myerson, executive vice president of the Windows and devices group at Microsoft, said in a post on the attacks.

The attacks the Strontium group is running involve three stages: exploiting the recent Flash vulnerability to get control of the browser, using the Windows zero-day to escalate privileges, and then installing a backdoor to maintain persistence on the compromised machine.

“STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information,” Myerson said.

“Following successful elevation of privilege, a backdoor is downloaded, written to the file system, and executed into the browser process.”

The Windows vulnerability affects Vista through Windows 10 Anniversary Update, but Myerson said there are mitigations in place in the latest version of Windows that stop the attacks that have been seen in the wild. Myerson said Microsoft is working on a fix for the vulnerability now.

Image: Marcell Schwarz, CC By-SA 2.0 license

Webinar: Call Center Fraud Vectors & Fraudsters Defeated