Microsoft says Russian hackers behind exploit of unpatched Windows flaw, revealed by Google
Microsoft has warned Russian-linked hackers are responsible for cyber attacks that exploit an unpatched Windows vulnerability disclosed earlier this week by Google, much to Microsoft’s anger.
Redmond took the opportunity to have another go at Google’s controversial security programme, criticising it for a lack of “responsible technology industry participation”.
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,” said Terry Myerson, head of Microsoft’s Windows and Devices Group. “And we take this responsibility very seriously.”
“Recently, the activity group that Microsoft Threat Intelligence calls Strontium conducted a low-volume spear-phishing campaign. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.”
Myerson stated that Microsoft has worked with Google and Adobe to create a patch.
Adobe already patched its Flash Player last week in an emergency update, but Microsoft will patch Windows on 8 November, as part of its regular Patch Tuesday security update.
Microsoft has made no secret of its displeasure with Google, which has a policy to disclose flaws on a set schedule whether the flaws have been fixed or not.
In most cases Google waits 60 days before disclosure, but when a bug is known to be actively exploited to attack systems – as in this instance – the period drops to a much more aggressive seven days.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” stated Myerson. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Microsoft recommended users upgrade to Windows 10, and said that users who have enabled Windows Defender Advanced Threat Protection (ATP) will detect the attacks thanks to its generic behaviour detection analytics and up-to-date threat intelligence.
Microsoft in a blog post said it has identified the group behind the attack, which it was a Russian state-backed hacking group called Strontium, (otherwise known as ‘Fancy Bear’ or ‘APT 28’).
It comes after US intelligence officials last month officially blamed this group, which it said was linked to “senior” Russian government figures. These hackers, according to the US, are responsible for recent politically motivated hacking incidents, including the release of emails stolen from the Democratic National Committee (DNC).
“Strontium is an activity group that usually targets government agencies, diplomatic institutions, and military organisations, as well as affiliated private sector organisations such as defence contractors and public policy research institutes,” added Myerson.
“Microsoft has attributed more 0-day exploits to Strontium than any other tracked group in 2016. Strontium frequently uses compromised email accounts from one victim to send malicious emails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.
“Once inside, Strontium moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.”
It is reported that Strontium works for Russia’s military intelligence agency, the GRU.
How well do you know the history of Windows? Take our quiz!