AndreasG - Fotolia
The APT group, Platinum, has been abusing Windows' hot-patching feature in attacks against government-interest organizations and agencies in South and Southeast Asia. The APT group uses the feature, which was introduced in Windows Server 2003, to inject malicious code into running processes. How do these hot-patching attacks work, and what can be done to address them?
Advanced persistent threat (APT) groups are known to use zero days and built-in tools as part of their attacks. One of the security features introduced in Windows 2003 was hot patching. The Windows Defender Advanced Threat Hunting team detected an APT group, named Platinum, exploiting this feature. The Platinum APT also appears to have the functionality to inject malicious code using other techniques if hot patching doesn't work.
Windows hot patching was a Microsoft initiative to reduce the number of times a server would need to be rebooted. It worked by updating the running executable in memory with the patched code and hooking it so the updated code is used instead of the vulnerable code. Hot-patching functionality is present in Linux and UNIX, as well as Windows. It is used to ensure high availability and removes the need to reboot a system when core operating system processes need to be patched. Hot patching requires performing the action as an administrator, since the operating system is being modified, but an attack group has identified a way to use hot patching to hide their attack.
Enterprises can protect themselves from attacks using hot patches, such as the one by the Platinum group, by first protecting core operating system security and administrative access. Windows 2012 servers have not been reported as containing the insecure hot-patching functionality, so upgrading servers to new versions of the operating system may be reasonable. Standard network monitoring for APTs may also help identify a compromised server when the initial inspection of a server doesn't identify indicators of compromise, and layered defense -- including monitoring the network -- is necessary.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Find out how cybercriminals are using advanced APT-style attacks
Learn about software deployment and patching in endpoint management
Develop a strategy for upgrading your server OS
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading