{"id":15142,"date":"2016-05-10T14:13:24","date_gmt":"2016-05-10T14:13:24","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5551"},"modified":"2020-02-26T11:09:16","modified_gmt":"2020-02-26T16:09:16","slug":"hotpatching-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/hotpatching-apt\/15142\/","title":{"rendered":"Hothacking: an obscure Windows feature as an APT weapon"},"content":{"rendered":"<p>Threatpost <a href=\"https:\/\/threatpost.com\/platinum-apt-group-abuses-windows-hotpatching\/117692\/\" target=\"_blank\" rel=\"noopener nofollow\">reported <\/a>on a new APT group codenamed Platinum, which was seen exploiting hotpatching, a now-deprecated feature in Windows operating systems, to conduct their attacks.<\/p>\n<p><strong>An obscure feature<\/strong><\/p>\n<p>Hotpatching is a feature introduced in Windows Server 2003, and dropped with Windows 8. This feature is deemed more or less \u201cobscure\u201d: while essentially it is rather important and interesting \u2013 hotpatching allows the dynamic updating of system components without the need to reboot the computer \u2013 it was so rarely used that eventually Microsoft decided to remove it.<\/p>\n<p>Between Windows 2003 and Windows 8\u00a0it was all there; It would fair to say it <em>is <\/em>all there, as it is present in now-dominant Windows 7 OS.<\/p>\n<p>Security researchers <a href=\"http:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Sotirov.pdf\" target=\"_blank\" rel=\"noopener nofollow\">warned<\/a> that there was definite potential for abuse: it was possible for attackers to inject malicious code into running processes without having to reboot the server. This proved to be true.\u00a0Hotpatching, however, does require admin privileges, so the attackers have to be \u201con the box\u201d already to make use of this technique.<\/p>\n<p>But for Platinum malefactors this seemed to be not a problem at all: they extensively \u2013 and efficiently \u2013 used various tricks to push through. The primary tool was (and is) narrowly targeted spear phishng campaigns, using malicious Office docs that exploited previously unpatched vulnerabilities and downloaded backdoors and other code to compromised machines.<\/p>\n<p>The group exploited at least four zerodays \u2013 those have been patched by Microsoft in late April.<\/p>\n<p>The group used a number of various backdoors with varying degrees of capabilities (ranging from the theft of intellectual property, to fingerprinting system and browser information before additional attacks are launched) and custom malware components, some of which were equipped with self-deletion functions to cover tracks.<\/p>\n<p><strong>Few but serious<\/strong><\/p>\n<p>In all fairness, there were just a few attacks so far, but all of them were rather high profile, which means that Platinum APT is a highly specialized group.<\/p>\n<p>It was active in South and Southeast Asia, focusing primarily on government interests, including agencies, defense organizations, intelligence agencies, diplomats and telecommunications companies. Although active since at least 2009, Platinum APT conduct just a few attacks per year to stay out of sight. They seemed to be very good\u00a0at this for awhile.<\/p>\n<p>However, February\u2019s attack on a government news website in India exposed them.<\/p>\n<p>In its report, Microsoft said that in some cases several 0day exploits were used during the attacks on the same target \u2013 an activity that requires a significant amount of investment in R&amp;D. This most likely means that Platinum is a highly specialized group, motivated and disciplined enough to ensure that no custom malware and\/or exploits leak outside until they are deployed.<\/p>\n<p><strong>Course of counter-action<\/strong><\/p>\n<p>Platinum APT may be a highly specialized team with a short list of interests and a closely guarded\u00a0toolset. However, since the information of the patched zero days have been published, it probably it won\u2019t take long for other attack groups to figure out how to exploit those vulnerabilities. This immediately makes\u00a0the list of possible targets much, much longer.<\/p>\n<p>It is highly recommended to pay attention to those vulnerabilities and keep systems up-to-date. In fact, it is not the Hotpatching function which poses the primary threat, but software flaws. The\u00a0gullibility of endpoint users: social engineering, well-crafted spearphishing campaigns, \u2013 all of these\u00a0are common vectors of initial compromise. The only way to counter them is to educate employees on what is phishing, how it works and how not to fall victim to it.<\/p>\n<p>And, of course, a <a href=\"https:\/\/www.kaspersky.com\/business-security\/small-to-medium-business\" target=\"_blank\" rel=\"noopener nofollow\">robust security solution<\/a> capable of providing multi-layered defense against known and <a href=\"https:\/\/www.kaspersky.com\/downloads\/pdf\/kaspersky_lab_whitepaper_automatic_exploit_prevention_eng_final.pdf\" target=\"_blank\" rel=\"noopener nofollow\">unknown<\/a> threats should be in place.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new APT group is seen to have been exploiting hotpatching, a now-deprecated feature in Windows operating systems, to carry out their attacks.<\/p>\n","protected":false},"author":209,"featured_media":15313,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[499,111,1449,1171,2419],"class_list":{"0":"post-15142","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-attacks","11":"tag-backdoors","12":"tag-exploits","13":"tag-hotpatching"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hotpatching-apt\/15142\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hotpatching-apt\/15142\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hotpatching-apt\/15142\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15142"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15142\/revisions"}],"predecessor-version":[{"id":33690,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15142\/revisions\/33690"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15313"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}