A new security report casts doubt on Microsoft’s attempts to downplay a zero-day exploit used by the Russian APT group Pawn Storm.
Earlier this month, a company executive characterized the threat actor’s use of the exploit as a “low volume spearphishing campaign”, although a Trend Micro report published Wednesday noted that the APT, known also as Fancy Bear, APT28, Sofacy, and Stronium, “started to expose much more targets to these vulnerabilities” after Adobe patched a use-after-free vulnerability (CVE-2016-7855) in its Flash player.
Trend Micro threat researchers Stephen Hilt and Feike Hacquebord wrote in the report, entitled Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched, that the firm saw “several campaigns against still-high-profile targets since October 28 until early November, 2016.”
Pawn Storm’s expanded use of the exploits is “standard adversary behavior,” according to Invincea CISO Chris Day. In an in an email to SC Media, he wrote that attackers use high-value exploits more broadly after the tools are discovered and are “declining in utility against high-value targets”.
Microsoft encouraged customers to upgrade to Windows 10 and enable Windows Defender Advanced Threat Protection (ATP), a feature that Terry Myerson, executive vice president of windows and devices, promised would “detect Stronium’s attempted attacks. However, the software giant did not patch the privilege escalation vulnerability (CVE-2016-7255) affecting Windows Operating System until November 8th, more than a week after Google disclosed the zero-day.
Pawn Storm is the same APT group that has been linked to hacks of the Democratic Congressional Campaign Committee (DCCC), Democratic National Committee (DNC), the Olympic drug-testing agency WADA, and email accounts of Hillary Clinton Campaign Chairman John Podesta, former Secretary of State Colin Powell, and other individuals.
The APT group “gathers geopolitical information that would be specifically relevant to Russia and it uses the information to leverage future attacks,” according to Institute for Critical Infrastructure Technology senior fellow James Scott. He wrote in an email to SC Media that the group “uses spear phishing campaigns, sophisticated malware, and zero-day exploits” to infiltrate networks of European governments, NATO affiliates, military, security, and news organizations “with the intent of exfiltrating state information that could be used to influence policy decisions, public opinion, or geopolitical issues.”
Microsoft has gone to great lengths to dispute Google’s characterization of a known zero-day exploit as a “critical” flaw. Last week, a representative for the software company told SC Media that the company disagrees “with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week.” The spokesperson claimed that the attack “was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented”.