Microsoft: Suspected Russian State Hackers Are Abusing Windows Zero-Day Leak

Microsoft says the Windows leak that Google published Monday is being actively used by members of the Strontium group. That’s the same group that carried out political hacks on the United States, which attributed the country to Russia.

These are “small numbers of targeted phishing attacks” on vulnerable Windows systems, Microsoft said in a blog post. The company states that with Windows 10 Anniversary Update, users are protected from attacks as long as they use the Edge browser. For a successful attack, the Strontium group uses two zero-day vulnerabilities in Flash in conjunction with the Windows vulnerability. Adobe has already released a patch, Microsoft says it wants to do this with the next ‘patch Tuesday’ on November 8th.

Microsoft writes that it groups various threat actors and that the use of this Windows vulnerability is attributable to the Strontium group. Ars Technica reports that Microsoft uses this designation for the same group known as “APT28” or “Fancy Bear.” For example, this group was seen as responsible for hacks on the US Democratic Party and on the German Bundestag in 2015. Microsoft reports that Strontium is mainly known for hacks on government institutions, military targets and related private companies. In doing so, the group would exploit a large number of zero-day vulnerabilities.

A successful attack with the vulnerabilities discovered by Google requires that an attacker first gains control of the browser process through the vulnerability in Flash. After that, the attacker can use the Windows kernel vulnerability to escape the browser sandbox and install a backdoor on the system.

Google made the Windows leak publicly available on Monday, ten days after it reported the vulnerability to Microsoft and Adobe. Microsoft criticized the publication because it could endanger users. Google defended its decision by reporting that the vulnerability is being actively used.