Microsoft has identified the Russian APT group known as Fancy Bear as using a Windows zero-day to attack unnamed organizations. Some say it’s an attempt to manipulate the outcome of next week’s US election by targeting political organizations.
Google reported that an unpatched Windows zero-day vulnerability was being exploited in the wild—and Microsoft now says it is being used in a low-volume spear-phishing campaign by Fancy Bear (which it calls STRONTIUM). The flaw affects every version of Windows prior to Windows 10.
“This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash [now patched] and the down-level Windows kernel to target a specific set of customers,” Microsoft noted in a threat bulletin.
It also reiterated that the group, which also goes by APT 28, Pawn Storm or Sofancy, usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes—and that it has attributed more 0-day exploits to Fancy Bear than any other tracked group in 2016.
“STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victim's computer,” Microsoft noted. “Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.”
The group has ties to the Kremlin, according to the US government and multiple security researchers, and has been suspected of hacking high-profile political targets like the DNC in order to sway the election in GOP candidate Donald Trump’s favor—Trump is known to have a cozier relationship to Russian President Vladimir Putin than rival Hillary Clinton.
“Though Microsoft hasn’t named the targets of the attacks, the fact that the group previously hit the DNC makes me wonder whether the latest hacks are also politically motivated,” said Vishal Gupta, CEO of Seclore, via email. “I expect that more light will be shed on the incident in the coming week, but this incident currently has the signs of a last ditch effort made by the Russians to seed unrest ahead of the election.”
Dimitri Sirota, CEO and co-founder at BigID, disagrees with that assessment. He told Infosecurity, “Russia’s cyberwar was not likely a one-time thing intended to influence the election. Rather, this is a deliberate and systematic attempt to exploit users for some advantage. This raises the specter that purloined information in future could be used for both intelligence, or more damagingly blackmail, to influence influencers.”
Ironically, Microsoft said that it expects patches for all versions of Windows to be available on Election Day (Tuesday, Nov 8).
Alex Heid, chief research officer at SecurityScorecard, notes that this timeline represents a big mistake, the byproduct of sloppy disclosure handling by those involved.
“This particular vulnerability disclosure is interesting due to the miscommunication and lack of coordination between affected vendors,” he told Infosecurity. “It is reported that Google released technical details about the Flash vulnerability and issued a patch for Google Chrome, before Microsoft was able to address the exploitable conditions that reside within the WindowsOS. The time gap provides an extra week of exploitable conditions from the standpoint of an attacker, leaving Microsoft Windows users exposed to other potential attacks that may exploit the same kernel vulnerability through a different vector.”
To prevent oneself from becoming a victim of the unpatched zero-day, there are browser extensions available that will prevent the automatic execution of embedded applets, such as Flash or HTML5.
Heid suggests using: AdBlock Plus, an advertisement blocker for Firefox and Chrome; Flashblock, a Flash blocker for Firefox; Flashcontrol, a Flash blocker for Chrome; NoScript, a Javascript blocker for FireFox; or ScriptSafe, a Javascript blocker for Chrome.
Windows 10 users are protected, so an update to the latest OS should do the trick as well.
Photo © BeeBright