The APT group, Platinum, has been abusing Windows' hot-patching feature in attacks against government-interest...
organizations and agencies in South and Southeast Asia. The APT group uses the feature, which was introduced in Windows Server 2003, to inject malicious code into running processes. How do these hot-patching attacks work, and what can be done to address them?
Advanced persistent threat (APT) groups are known to use zero days and built-in tools as part of their attacks. One of the security features introduced in Windows 2003 was hot patching. The Windows Defender Advanced Threat Hunting team detected an APT group, named Platinum, exploiting this feature. The Platinum APT also appears to have the functionality to inject malicious code using other techniques if hot patching doesn't work.
Windows hot patching was a Microsoft initiative to reduce the number of times a server would need to be rebooted. It worked by updating the running executable in memory with the patched code and hooking it so the updated code is used instead of the vulnerable code. Hot-patching functionality is present in Linux and UNIX, as well as Windows. It is used to ensure high availability and removes the need to reboot a system when core operating system processes need to be patched. Hot patching requires performing the action as an administrator, since the operating system is being modified, but an attack group has identified a way to use hot patching to hide their attack.
Enterprises can protect themselves from attacks using hot patches, such as the one by the Platinum group, by first protecting core operating system security and administrative access. Windows 2012 servers have not been reported as containing the insecure hot-patching functionality, so upgrading servers to new versions of the operating system may be reasonable. Standard network monitoring for APTs may also help identify a compromised server when the initial inspection of a server doesn't identify indicators of compromise, and layered defense -- including monitoring the network -- is necessary.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how cybercriminals are using advanced APT-style attacks
Learn about software deployment and patching in endpoint management
Develop a strategy for upgrading your server OS
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.