AndreasG - Fotolia
The APT group, Platinum, has been abusing Windows' hot-patching feature in attacks against government-interest organizations and agencies in South and Southeast Asia. The APT group uses the feature, which was introduced in Windows Server 2003, to inject malicious code into running processes. How do these hot-patching attacks work, and what can be done to address them?
Advanced persistent threat (APT) groups are known to use zero days and built-in tools as part of their attacks. One of the security features introduced in Windows 2003 was hot patching. The Windows Defender Advanced Threat Hunting team detected an APT group, named Platinum, exploiting this feature. The Platinum APT also appears to have the functionality to inject malicious code using other techniques if hot patching doesn't work.
Windows hot patching was a Microsoft initiative to reduce the number of times a server would need to be rebooted. It worked by updating the running executable in memory with the patched code and hooking it so the updated code is used instead of the vulnerable code. Hot-patching functionality is present in Linux and UNIX, as well as Windows. It is used to ensure high availability and removes the need to reboot a system when core operating system processes need to be patched. Hot patching requires performing the action as an administrator, since the operating system is being modified, but an attack group has identified a way to use hot patching to hide their attack.
Enterprises can protect themselves from attacks using hot patches, such as the one by the Platinum group, by first protecting core operating system security and administrative access. Windows 2012 servers have not been reported as containing the insecure hot-patching functionality, so upgrading servers to new versions of the operating system may be reasonable. Standard network monitoring for APTs may also help identify a compromised server when the initial inspection of a server doesn't identify indicators of compromise, and layered defense -- including monitoring the network -- is necessary.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how cybercriminals are using advanced APT-style attacks
Learn about software deployment and patching in endpoint management
Develop a strategy for upgrading your server OS
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.