Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/28/2016
05:01 PM
Connect Directly
Twitter
RSS
E-Mail
0%
100%

Hacker Group Exploits 'Hot Patching' In Windows To Cloak Cyber Espionage

Group called Platinum employs spear phishing and malicious use of hot patching to steal information from government agencies in Asia.

A cyber espionage group is using an advanced persistent threat technique that exploits an obscure Windows OS feature known as “hot patching” to cloak backdoors they have created in targeted systems and networks of government agencies and telecommunications companies in Asia and Southeast Asia, according to Microsoft.

The group, called Platinum by Microsoft researchers, has gained persistent access to the networks of companies it targeted and victimized over a long period without being detected. Spear phishing is the primary way the group gains initial network access, targeting an individual’s personal account as a way to get inside corporate networks.

Spear phishing and the malicious use of hot patching appear to have been quite effective and, until now, enabled Platinum to go undetected. Microsoft research suggests that Platinum has been targeting its victims since at least as early as 2009.

Hot patching is a previously supported OS feature -- originally shipped with Windows Server 2003 --for installing updates without having to reboot or restart a process. It requires administrator-level permissions.  At a high level, a hot patcher can transparently apply patches to executables and Dynamic Link Libraries in actively running processes, according to researchers with Microsoft’s Windows Defender Advanced Threat Hunting Team, who discovered the threat.

“Platinum was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hot patching technique on a machine in Malaysia,” Microsoft security researchers, write in a blog.  “This allowed Platinum to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”

Hot patching removed in Windows 8

The hot patching feature was removed in Windows 8 and has not been included in subsequent releases of Windows. Platinum, though, appears to believe that enough of their targeted users will continue to run the earlier versions of Windows to make the technique a useful tool, at least until early 2017, researchers say.

The technique Platinum uses to inject code via hot patching was first documented by security researcher Alex Ionescu in 2013. Administrator permissions are required for hot patching, and the technique used by Platinum does not attempt to evade this requirement through exploitation.

Platinum typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components such as images or scripts or templates that are delivered to targets only once, according to Microsoft researchers.

For instance, “in February 2016, Platinum was observed using a legitimate website dedicated to news about the Indian government, as an infection vector. This site, which is not associated with the Indian government itself, also provides a free email service for its users, giving them email addresses with the site’s own domain name. Platinum sent spear phishing messages to users of the service, which included some Indian government officials.”

After infecting an unsuspecting user this way, the attackers had complete control of the user’s computer and used it as a stepping stone into the official network to which the user belonged, researchers say.

Looking for government IP

Platinum, which appears to be well-funded, seeks to steal sensitive intellectual property related to government interests.  Its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. “The group’s persient use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat,” researchers say.

The Microsoft researchers have developed attacker profiles on these advanced persistent attackers that includes distinctive behavior, signatures, geography, and victimology.

To reduce the likelihood of Platinum conducting successful attacks against employees and networks, Microsoft researchers advise organizations to:

  • Take advantage of native mitigations built into Windows 10;
  • Apply all security updates as soon as they become available;
  • Conduct enterprise software security awareness training and build awareness of malware prevention;
  • Institute a strong network firewall and proxy; and
  • Make sure all Internet-facing assets are running the latest applications and security up-dates.

Related content:

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...