Russian Hackers Exploit Windows Flaw
Microsoft says a group that has been linked to Russian state-sponsored hacking and the theft of Democratic National Committee emails was behind a new round of cyber attacks targeting Windows users and exploiting a windows flaw.
The Redmond company Tuesday said a hacking campaign disclosed this week had exploited previously unknown vulnerabilities in Microsoft’s Windows operating system and Adobe’s Flash in an attempt to gain control of computers. The group behind the attacks, which Microsoft calls Stronium, targeted a “specific set of customers,” Microsoft said without identifying the victims.
Microsoft declined to comment beyond a blog post detailing the attacks. The vulnerability in Windows is slated to be fixed in a patch set for release Nov. 8.
Microsoft didn’t tie the attacks to Russia itself.
But Stronium, which Microsoft security researchers described in a research report last year and which is more widely known as “Fancy Bear” or “APT 28,” has been linked to Russian-state hacking.
CrowdStrike, a cyber security firm hired by the DNC after the theft and subsequent release via WikiLeaks of 20,000 emails from the campaign group, said Stronium was among the intruders in the DNC’s computer systems earlier this year. The group’s activities fit the pattern of Russian state-sponsored hacking, CrowdStrike says.
U.S. intelligence agencies have accused Russia of hacking American political sites in an attempt to interfere with the U.S. presidential election.
In its analysis last year, Microsoft said Stronium primarily targets government bodies, diplomatic institutions and military forces in NATO-member nations and Eastern European countries. Microsoft didn’t name Russia as a source of the attacks, but the attacks align with some likely targets of Russian state hacking.
The software flaws under attack were disclosed on Monday by Google.
Security researchers with the search giant said they contacted Adobe and Microsoft on Oct. 21 to inform them of the flaws in their software. Adobe patched the flaw in Flash on Oct. 26.
Google’s policy is to publicly disclose critical security holes if there is no fix a week after informing the company that makes the software. “This vulnerability is particularly serious because we know it is being actively exploited.”- Google security researchers wrote in a blog post.
Microsoft’s statement Tuesday, attributed to Windows and Devices Executive Vice President Terry Myerson, fired back at Google for disclosing the flaws. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” Myerson said.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing and puts customers at increased risk.” Myerson said Windows users running the latest version of Windows 10 and Microsoft’s Edge browser were protected from versions of the attacks the company has observed.
Google declined to comment on Myerson’s statement.
The vulnerabilities disclosed this week were targeted in spear-phishing attacks, Microsoft said. Such attacks are typically designed to fool an email user into clicking on a malicious link or opening an attachment that grants the attacker access to more of the computer’s functions.
Google and Microsoft are in a war of words after the search engine company publicized a critical Windows bug just 10 days after telling the software firm about it.
The bug, which allows privilege escalation in Windows, was discovered by Google on 21 October. An attacker can use it to access things they should not be able to, and according to Google, it is already being actively exploited in the wild.
That caused Google to declare the bug “particularly serious”, and give Microsoft just seven days to fix it before it would go public and tell the world about the error. The rationale for such disclosure programs is part preventative and part punitive: it allows others using unpatched versions of Windows to be aware of the danger, even if they cannot fix it until Microsoft releases a patch, but it also serves to publicly berate the developer for their delay in fixing the bug.
Microsoft has responded with anger at not being given time to properly issue a patch. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told tech news site VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
It’s not even the first time Google and Microsoft have squabbled over the former’s tight timeline for fixing vulnerabilities. In 2015, Google published another bug online 90 days after informing Microsoft, just a few weeks before the company planned to roll out its own patch. In that case, the bug was agreed by both companies to be non-critical, and so Microsoft planned to delay its patch until a regular roll-out, but Google refused to budge on the time limit.
Microsoft’s Chris Betz wrote at the time “The decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers.”
He added: “We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publicly. It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured.”