In a guest blog post, Terry Myerson, Executive Vice President, Windows and Devices Group explained that hackers conducted a low-volume spear-phishing campaign. First spotted by Google's Threat Analysis Group, the attack used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
Through coordination with Google and Adobe, Microsoft is investigating this malicious campaign, creating a patch for down-level versions of Windows. Patches for all versions of Windows are being thoroughly tested as well.
Another reason to update to Windows 10
Microsoft points out that Microsoft Edge users on Windows 10 Anniversary Update are fully protected from versions of this attack. With that in mind, they recommend that all customers upgrade to Windows 10, their most secure operating system built to this day.
Microsoft also provided the three objectives in order for STRONTIUM' attack to be successful:
- Exploit Flash to gain control of the browser process
- Elevate privileges in order to escape the browser sandbox
- Install a backdoor to provide access to the victim's computer
Microsoft assures that it has several threat prevention and exploit mitigation features at their disposal to counter these steps.
Special mention goes to Windows Defender Advanced Threat Protection (ATP) as users that enable can detect STRONTIUM's attempted attacks. Multiple behavioral and machine learning detection rules and up-to-date threat intelligence detect multiple stages of the attack.
One noticeable bit from the post is Microsoft's dissatisfaction with Google's handling of the situation, disclosing the vulnerabilities before patching. Microsoft believes that the customers are put first, hence arguing that Google's decision is “disappointing, and puts customers at increased risk.”
STRONTIUM, also known as Fancy Bears or APT 28, is a well-known name in the cyber world. They were accused by USA of being responsible for recent political cyber attacks, working for Russia's military intelligence agency. Microsoft states that it has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016.