SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
28 Apr 2016

Hacking group Platinum used Windows’ own patching system against it

Microsoft's Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks.

The focus is on the groups that are the most selective about their targets and that work the hardest to stay undetected. The company wrote today about one particular group that it has named PLATINUM.

The unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim, with just over half the attacks, and Indonesia in second place. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren't after credit cards and banking details—but rather broader economic espionage using stolen information.

Microsoft doesn't appear to know a great deal about the team doing the hacking. The team has often used spear-phishing to initially penetrate target networks and seems to have taken great pains to hide its attacks. For example, it has used self-deleting malware to cover its tracks, customized malware to evade anti-virus detection, and malware that limits its network activity to only be active during business hours, so its traffic is harder to notice. Redmond suggests that the adversary is likely a government organization of some kind, due to its organization and the kinds of data it has sought to steal.

The hackers have used many techniques over the years, with numerous 0-day vulnerabilities being exploited to penetrate victims' systems and spread through their networks. Microsoft has a long writeup describing these techniques. One technique in particular is interesting, since it uses Windows' own capabilities against itself.

Windows Server 2003 Service Pack 1 introduced support for hot patching certain core system services. Microsoft released ten different updates for the operating system that used this capability. When the updates were installed a particular way (it wasn't the default), the update would patch the running system to insert the new, updated code into a server without creating the need to reboot the server. To support this hotpatching, certain versions of Windows include the ability to load a patch DLL and use this DLL to modify running programs. Both regular programs and the kernel can be patched in this way.

In 2006, Alex Sotirov gave a presentation at Black Hat that briefly described how Windows' hotpatching worked in the context of a description of how third parties had offered some quick patches for Windows flaws while waiting for Microsoft's official fixes. A more thorough description was given by Alex Ionescu at SyScan 2013. Ionescu's talk wasn't just about how hotpatching was implemented but described ways that attackers could use it to modify running systems to inject malware without having to write the malware to disk or inject DLLs, both of which are visible to anti-malware software and humans alike.

The PLATINUM group used this technique, which can work against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7, in real-world attacks to better hide its efforts from analysis. This operating-system-provided hotpatching was found in malware attacking systems in Malaysia earlier this year.

The hotpatching capability was removed in Windows 8, and subsequent versions of the operating system do not support it. It wasn't often used, and saving a few reboots is arguably not that useful, especially if it means handing hackers a convenient tool for attacking running systems. Nonetheless, an attack that uses a well-intentioned operating system to evade detection is a relative novelty. Microsoft's hunt for PLATINUM is still ongoing.

Tags:
information leaks hackers Windows
Source:
Ars Technica
1816
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015