Windows Bugs Exploited by Russia-Linked Cyberspies with Patch Still a Week Away


Earlier this week, Google's Threat Analysis Group revealed a Windows zero-day vulnerability that is being actively exploited in the wild. Following Google's going public with the information after giving Microsoft just 10 days to send a patch, the Redmond software giant wasn't happy with how Google handled the vulnerability information. Today, Microsoft has acknowledged that the exploit is being used by a sophisticated threat group, the same group that was responsible for the hacks of the Democratic National Committee.

Terry Myerson, executive vice president of Microsoft's Windows and Devices group, said that a hacking group previously linked to the Russian government and the political hacks on US is behind recent cyber attacks that are exploiting the newly discovered Windows vulnerability.

Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google's Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.

Windows zero-day patch will arrive on November 8

Strontium is most widely known as "Fancy Bear" or APT 28. Fancy Bear has been linked to several high-profile cyber attacks, including the government organizations in Germany and Turkey, US Democratic Party, and the investigators of the flight MH17 crash.

Microsoft's advisory comes after Washington accused the Kremlin of launching a hacking campaign to influence and discredit the 2016 US Presidential election. Yesterday, we also saw the UK and the MI5 talking about an "increasingly aggressive" Russia in the cyber space. Russia, however, has denied all these accusations.

It's not clear if the Windows zero-days were used as part of the US election hacks, which were also accomplished through spear-phishing attacks.

Myerson noted that those using Windows 10 Anniversary Update with Windows Defender Advanced Threat Detection are protected against this exploit. The software detects "STRONTIUM’s attempted attacks thanks to ATP's generic behavior detection analytics and up-to-date threat intelligence."

The patch for the exploit is underway, and will be released in the next Patch Tuesday which falls on November 8. The exploit is used along with a similar Adobe Flash vulnerability, which has been patched. Some have suggested to patch Flash that would in turn protect users from Windows vulnerabilities too. However, Microsoft didn't confirm if this workaround will fix the problem.

Microsoft is definitely annoyed by Google's going public with the malware information, and Myerson didn't miss to comment on that too. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk," he wrote.