Recent Windows Kernel zero-day exploited by hackers behind the DNC hack

Executive vice president of Microsoft’s Windows and Devices group revealed that Windows Kernel zero-day recently disclosed was used by the Fancy Bear APT.

On Oct. 31, the Google Threat Analysis Group publicly disclosed a vulnerability in the Windows kernel that is actively being exploited by threat actors in the wild.

The zero-day could be exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.

The reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.

According to Google disclosure timeline for vulnerability, when a flaw is exploited in the wild Google public disclosed the flaw after seven days.

“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities — to Adobe and Microsoft. Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.” reads a blog post published by Google.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”

On the other end, Microsoft criticized the Google decision because the disclosure potentially puts customers at risk.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, confirmed that the Windows kernel  vulnerability was being exploited by an APT group in the wild, and the real surprise is that the hacker crew is the same that breached the Democratic National Committee and that targeted individuals involved in Clinton’s Presidential campaign.

Microsoft identifies the APT group as STRONTIUM, Pawn-Storm, APT28, and Fancy Bear are more familiar for us. This means that another Tech Giant has recognized the APT has well founded and capable of high-sophisticated operations. Many security firms argue the Fancy Bear is linked to the Kremlin and detailed their investigation that lead the experts into believe that it is a Russian nation-state group.

Myerson highlighted the importance of upgrading to Windows 10 for protection from further advanced threats while waiting for a patch for the Windows Kernel zero-day.

“Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUMconducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.” reads the security advisory published by Microsoft.

Microsoft customers using Windows 10 with Windows Defender Advanced Threat Detection are not exposed to the exploitation of the flaw.

“Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.” continues the advisory.

Fancy Bear was one of the two APT groups involved in the DNC hack, COZY BEAR and FANCY BEAR, it powered many other attacks, including the hacks of both Clinton campaign Chair John Podesta and the former Secretary of State Colin Powell.

At the time I was writing there is no news about the possible use of the Windows Kernel zero-day as part of the above attacks.

Stay Tuned!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Windows Kernel Zero-day, Fancy Bear)