Pawn Storm raced to pop many targets before Windows zero-day patch release

As promised, Microsoft provided this Tuesday a patch for the Windows zero-day (CVE-2016-7855) actively exploited by the Strontium (aka Pawn Storm) cyber espionage hacking group.

The initial attacks

The attackers used a Flash Player use-after-free zero-day vulnerability to gain control of the browser process and the Microsoft zero-day to elevate privileges in order to escape the browser sandbox, so that they could install a backdoor on the targets’ computer.

Pawn Storm Windows zero-day exploit chain

The attacks and vulnerabilities were first identified by Google researchers, who notified Microsoft and Adobe on October 21, but while Adobe pushed out an update with the patch on October 26, Microsoft did not manage to do the same until yesterday.

Google’s researchers went public with the flaw on October 31, forcing Microsoft to disclose more details about the attacks.

Annoyed by this action, Microsoft complained publicly that Google was putting customers at increased risk by sharing this information. They pointed out that the attack was a a low-volume spear-phishing campaign directed at specific targets, not Windows users in general, and that this attack chain had already been broken with the latest Flash Player update.

But the thing is: no matter how much we wish that it isn’t so, security updates are rarely implemented as soon as they are pushed out.

Later attacks

According to Trend Micro researchers, since the Adobe fix and the announcement of the Windows zero-day patch, the Pawn Storm attackers ramped up their spear-phishing campaigns against various governments and embassies around the world, seeking to maximize the utility of the soon-to-be patched Windows zero-day.

“We saw several campaigns against still-high-profile targets since October 28 until early November, 2016,” the researchers noted.

Some of the e-mails posed as an invitation for a “Cyber Threat Intelligence and Incident Response conference in November” by Defense IQ. The email contained a RTF document named “Programm Details.doc,” which contained an embedded Flash file that downloaded a Flash exploit for the just-patched CVE-2016-7855.

“In one of Pawn Storm’s campaigns on November 1, the subject line was ‘European Parliament statement on nuclear threats.’ The e-mail seemingly came from a real press officer working for the media relations office of the European Union, but in reality, the sender e-mail address was forged. Clicking on the link in the spear-phishing e-mail led to the exploit kit of Pawn Storm,” they added.

I believe that Google has, in this case, done well by revealing the active exploitation of the zero-day and forcing Microsoft to explain who is behind the attacks and how they are perpetrated.

Hopefully that allowed some of the later targets to avoid getting compromised, either by updating Flash immediately, by temporarily stopping its use, or by keeping a more watchful eye on incoming emails.

The release of Microsoft’s patch is also no guarantee that the group will immediately stop with the spam campaigns, so increased vigilance is advised. Trend Micro has shared indicators of compromise that could help organizations defend themselves.

As an interesting sidenote: Pawn Storm is not the only group to use invites to legitimate cyber security conferences as a phishing lure. Palo Alto Networks recently spotted the Lotus Blossom APT group using the same approach.

Don't miss