Microsoft says the Russian-linked hacking group known as Fancy Bear, famous for its alleged hacking of the Democratic National Committee, is now exploiting two Windows vulnerabilities in ongoing cyberattacks. The tech giant will issue a patch on Nov. 8.
The newest hacking campaign, originally identified by Google and acknowledged on Tuesday by Microsoft, utilizes two zero-day vulnerabilities in Adobe Flash and the Windows kernel. The campaign is described as a “low-volume spear-phishing campaign” targeting specific customers. That means the group is sending malicious emails, often from other hacked and trusted email addresses, to precise targets in hopes exploiting these vulnerabilities against them. Such a pursuit can last for over a year until successful. If successful, it ultimately gives the hackers complete control of a victim’s computer through a backdoor.
Known more widely as Fancy Bear, Microsoft calls the Russian-linked group STRONTIUM, a threat characterized by its “aggressive, persistent tactics and techniques, and its repeated use of new zero-day exploits to attack its targets,” according to a report on the group issued last year by Microsoft. STRONTIUM has been known since at least 2007. Today, it’s among the most potent threats in cyberspace.
“Microsoft has attributed more [zero-day] exploits to STRONTIUM than any other tracked group in 2016,” Terry Myerson, Microsoft’s Executive Vice President of the Windows and Devices Group wrote in a blog post on Tuesday.
“Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries,” according to Microsoft’s researchers last year. “Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia.”
In addition to Fancy Bear and STRONTIUM, the group is known as Advanced Persistent Threat 28 (APT28), Sednit and Sofacy.
Fancy Bear’s standard operating procedure is to seek sensitive information through fake emails that make a target fear their account may be already compromised. Fake “privacy alert” emails pretending to be from Google or Microsoft may push a target to click a malicious link that can lead to an infection. That appears to be what happened to John Podesta, Hillary Clinton’s campaign chair, who in March 2016 received a fake alert to change his password. The fake email was so good that it fooled the Clinton campaign’s tech staff.
That email, along with thousands of others, were released by WikiLeaks over the last month as part of the sustained publication of over 41,000 Podesta emails so far.
Myerson criticized Google for disclosing the vulnerabilities on Monday before patches were tested and made available. He called the decision “disappointing, and puts customers at increased risk.”
Google’s Neel Mehta and Billy Leonard of the company’s Threat Analysis Group explained their decision to make public the vulnerabilities on Monday.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited,” Google’s researchers wrote.
Microsoft recommends customers upgrade to Windows 10 and enable Windows Defender Advanced Threat Protection (ATP).