The Microsoft security researchers are hunting for a group of hackers who have long work against NGOs and intelligence agencies, hiding their tracks and using a feature found in some versions of Windows.
The Windows Defender Advanced Threat Hunting group Microsoft is working to try to identify and neutralize a group of hackers who continues to engage in a series of attacks since 2009. The group, called Platinum, he started to claim victims in Southeast Asia around 7 years ago, mainly in Malaysia and Indonesia. About half of the attacks have been directed to NGOs of some kind, including intelligence agencies and defense, and another 25% of the attacks were brought against Internet service providers. The goal of these attacks does not appear to have an immediate return in terms liquid and is characterized as a broader economic espionage using stolen information.
Microsoft itself does not seem to know much more about the team that is doing the attacks. The notes information indicates the use of spear-phishing techniques to penetrate the target networks, and the use of special measures to conceal the traces: the Platinum group would use malware with a self-cancellation feature, also equipped with attentions to circumvent antivirus and malware that limits network activity only to working hours, making it difficult to identify anomalous traffic.
Over the years, they would have been used a number of techniques, including various vulnerabilities 0-day, and a rather interesting, which uses some of the same Windows features: Service Pack 1 of Windows Server 2003 introduced a ” hot patching ” functionality for some core services of the system. Microsoft issued ten different updates that you have used this feature.
When the updates are installed in a certain way (it is not the standard mode), you can apply your news directly in the system without requiring a reboot. To support this, some versions of Windows include the ability to load a DLL modified to be used to change the active program. Both the ordinary programs, both the kernel can be updated in this way.
In the 2006 edition during the Black Hat Conference, the security researcher Alex Sotirov gave a presentation in which she described as the hot patching system could also work with small updates to third parties pending the official Microsoft solutions. A more detailed description was offered by Alex Ionescu to SyScan 2013, which stressed how the system could be used by an attacker to change a running system without having to write the malware on disk or compromise DLL, both measures that can be detected by common anti-malware software or even by the user more aware.
Platinum group used this technique in real attacks to better hide their activities. The technique works against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7, all operating systems that have been found in a series of attacks that occurred in Malaysia during de past months.
The hot patching feature has been removed from Windows 8 and later versions do not support most of the operating system. Moreover, it is a technique used infrequently, and save some restart is certainly not so useful, especially in the face of more serious security risks that may result from an improper use of the technique.