The APT group, Platinum, has been abusing Windows' hot-patching feature in attacks against government-interest...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
organizations and agencies in South and Southeast Asia. The APT group uses the feature, which was introduced in Windows Server 2003, to inject malicious code into running processes. How do these hot-patching attacks work, and what can be done to address them?
Advanced persistent threat (APT) groups are known to use zero days and built-in tools as part of their attacks. One of the security features introduced in Windows 2003 was hot patching. The Windows Defender Advanced Threat Hunting team detected an APT group, named Platinum, exploiting this feature. The Platinum APT also appears to have the functionality to inject malicious code using other techniques if hot patching doesn't work.
Windows hot patching was a Microsoft initiative to reduce the number of times a server would need to be rebooted. It worked by updating the running executable in memory with the patched code and hooking it so the updated code is used instead of the vulnerable code. Hot-patching functionality is present in Linux and UNIX, as well as Windows. It is used to ensure high availability and removes the need to reboot a system when core operating system processes need to be patched. Hot patching requires performing the action as an administrator, since the operating system is being modified, but an attack group has identified a way to use hot patching to hide their attack.
Enterprises can protect themselves from attacks using hot patches, such as the one by the Platinum group, by first protecting core operating system security and administrative access. Windows 2012 servers have not been reported as containing the insecure hot-patching functionality, so upgrading servers to new versions of the operating system may be reasonable. Standard network monitoring for APTs may also help identify a compromised server when the initial inspection of a server doesn't identify indicators of compromise, and layered defense -- including monitoring the network -- is necessary.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how cybercriminals are using advanced APT-style attacks
Learn about software deployment and patching in endpoint management
Develop a strategy for upgrading your server OS
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
A revamped Poison Ivy RAT campaign has been using new evasion and distribution techniques. Expert Nick Lewis explains the new attack methods that ...continue reading
Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the ...continue reading
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.