Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks.
The group, which Microsoft calls Strontium, is also known as APT28, Tsar Team and Sednit among other identifiers.
Microsoft said the zero day vulnerability, the existence of which along with limited details were disclosed on Monday by Google, will be patched Nov. 8. Google said yesterday it privately disclosed both zero days, which were used in tandem in these targeted attacks against unknown victims, to Microsoft and Adobe on Oct. 21. Adobe rushed an emergency patch for Flash Player on Oct. 26, while Microsoft had yet to acknowledge the vulnerability until Google’s disclosure. Microsoft was critical of Google’s action yesterday and reiterated its stance today in a post, providing some details on the vulnerability and attacks.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” said Terry Myerson, executive vice president Windows and Devices Group at Microsoft. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Microsoft added that it is coordinating with Google and Adobe on the patch, which is being tested by partners. Nov. 8 is Microsoft’s next scheduled patch release.
Microsoft said that the attacks were spreading in what it called a “low volume” spear phishing campaign. Sofacy’s targets are largely strategic: government agencies, diplomatic institutions, military organizations, defense contractors and public policy research institutes.
“Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016,” Myerson said.
Sofacy has been blamed by the U.S. government for attacks against the Democratic National Committee, and Russia has been accused of allegedly attempting to influence the U.S. presidential election via these hacks.
The attacks chained the two zero days in order to gain persistent access to the targeted computers, Microsoft said. First, an exploit was used against the Flash vulnerability, a use-after-free flaw in ActionScript runtime code running in the software. Once Flash was compromised in order to gain control of the browser process, the attackers used a second exploit to target a Windows kernel vulnerability, present in Windows Vista through current versions of Windows 10, to elevate privileges and escape the browser sandbox. From there, they were able to install a backdoor and gain persistent access on the victim’s computer in order to send more commands to move stolen data off the machine.
Microsoft said that the particular win32k kernel component targeted in these attacks had been recently updated with new exploit mitigations that should prevent the exploits from working. Microsoft also said that the backdoor DLL used in these attacks can be blocked via strict Code Integrity policies, which Microsoft’s Edge browser does natively. It’s unknown whether the attacks were successful.
“This does not guarantee that attackers will not find an alternative workaround, but Microsoft will issue a comprehensive update to address the issue soon,” Myerson said.
Yesterday’s abrupt disclosure by Google was in accordance with its internal policies, which gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations, and seven days to at a minimum report on critical flaws under active exploitation.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” Google said in 2013 upon publicizing its disclosure policy.