Yesterday, we reported about the zero-day critical Windows flaw that Google publicly disclosed, which led to a war-of-words with Microsoft.
Microsoft believes that Google did not give them enough time to issue a fix before the public disclosure.
The privilege escalation bug is said to be already exploited by hackers exposing Flash Player flaws and escaping Windows security sandboxing. Adobe has patched the zero-day flaws in Flash with an emergency fix last week while Google likewise closed the Flash exploits in Chrome. However, Microsoft is yet to issue a patch but the company is scheduled to release it on November 8.
Since Google reported that the vulnerability is a zero-day flaw and is already being exploited by hackers, who is actually behind the attacks?
We reported yesterday that according to Microsoft, the attacks were traced back to the Russian hacking group Strontium. Now, more details are emerging about this hacking campaign.
Strontium aka Fancy Bear
The group code-named Strontium, also known as Fancy Bear, is a Russian hacking group that the U.S. intelligence officials are blaming as one of the groups responsible for the Democratic National Committee email hack. This revelation is in line with allegations from Washington that the Russian government is attempting to disrupt the upcoming 2016 U.S. elections.
U.S. intelligence cybersecurity experts are saying that Fancy Bear works for the GRU (Glavnoye Razvedyvatel'noye Upravleniye), the military intelligence agency of the Russian Federation, the main Russian government arm U.S. officials are blaming for the election hacks and alleged disruptions.
This group is also suspected of launching the phishing attack that victimized Hillary Clinton's campaign chairman John Podesta and ex-Secretary of State Colin Powell.
Microsoft tags Strontium/Fancy Bear as the group associated with more zero-day exploits than any other tracked group in 2016.
According to Microsoft,
"STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information."
In fact, the recent Flash player and Windows attacks were done via spear-phishing emails containing malicious links that led to the exploit.
Spear phishing is a form of targeted email scams aimed specifically at an individual or organization. By sending out carefully crafted emails with identifiable personal data, the attackers make it appear that the messages are coming from legitimate and trusted sources.
If the victim falls for the trap and opens a malicious attachment or link, spying malware and data theft software could then be installed on a machine or a network, leading to more attacks.
Once the spear phishing attempt is successful, this is how the attack is executed as outlined by Microsoft's security blog:
- Exploit Flash to gain control of the browser process.
- Elevate privileges in order to escape the browser sandbox.
- Install a backdoor to provide access to the victim’s computer.
If you're a Windows user, here are the recommended ways to protect yourself from this latest zero-day attack.
Since it originates from a spear phishing campaign, it is vital that you:
- Don't download unsolicited email attachments, especially from unknown sources.
- Don't click on links in suspicious emails.
- Don't trust "official" emails from companies you don't do business with.
- Take a second to look at any "official" emails before you follow any instructions.
Also, as stated by Microsoft, as we wait for the November 8 patch, customers are advised to use Microsoft Edge running on the Windows 10 Anniversary Update since these are believed to be protected from these attacks.
Google likewise encourages "users to verify that auto-updaters have already updated Flash and to manually update if not." The company also advises customers "to apply Windows patches from Microsoft when they become available."
If you're still using Flash, click here for the Adobe Flash Update Tool guide.