Microsoft is working to protect millions of Windows users from a computer bug currently being exploited by supposed state-sponsored hackers.
A hacker group known to Microsoft as “STRONTIUM” has been leveraging a pair of vulnerabilities during the course of conducting a recent cyberattack campaign, including a flaw affecting several versions of its Windows operating system and a previously unpatched Adobe Flash bug, the company said in a blog post Tuesday.
Microsoft didn’t name the victims of the apparent campaign, but has linked the group before with a series of hacks widely believed to be waged on behalf of the Russian government, including recent intrusions suffered by the U.S. Democratic Party in the lead up to next month’s presidential election.
More recently, according to Microsoft, the hackers incorporated the two bugs into a low-volume spear-phishing campaign — a commonly used hacking tactic that typically involves seeking out specific targets that could be potentially compromised by opening a malicious link or email attachment.
The hack as designed involves tricking targets into letting attackers leverage the Flash vulnerability in order to gain control of a victim’s web browser. From there, attackers could potentially exploit the Windows bug and install a backdoor that could be used at a later date to access an infected computer running a vulnerable version of Windows, Microsoft said.
Adobe has already released an update addressing the Flash vulnerability, and Microsoft said a Windows fix is expected to be rolled-out Election Day, November 8. Microsoft said its latest operating system, the Windows 10 Anniversary Update, isn’t susceptible to the bug, but other versions going back to Windows Vista are.
Both flaws were first spotted by Google’s security experts and raised in a security warning issued Monday out of Mountain View much to the dismay of Microsoft.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Terry Myerson, Microsoft executive vice president of Windows and Devices, said in Tuesday’s blog post.
On its part, Google said it decided to publicize details about the bug Monday after giving Microsoft a week to act on its own.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” said Google threat analysts Neel Mehta and Billy Leonard. “This vulnerability is particularly serious because we know it is being actively exploited.”
Known to security researchers by other names including “Fancy Bear,” “APT28” and “Threat Group-4127,” the hackers blamed with the spear-phishing campaign have previously been attributed with recent attacks waged against the Democratic National Committee as well as John Podesta, the chairman of Democratic candidate Hillary Clinton’s presidential campaign who had his personal email account compromised by hackers and its contents handed off to WikiLeaks for publication.
A March email to Mr. Podesta published last week by WikiLeaks showed how Mrs. Clinton’s campaign manager was likely compromised by a phishing email masquerading as a security warning sent from Google. Investigators have traced a malicious domain included in that email with a widespread spear-phishing campaign conducted against victims of similar breaches blamed on Russia, including the DNC and current and former members of western governments and militaries.
The Obama administration formally blamed Moscow last month for the recent hacks and email leaks, though Russian President Vladimir Putin has denied any role.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.