AndreasG - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How is Windows hot patching exploited by APT groups?

The hot-patching feature in Windows servers is vulnerable to attacks from APT groups. Expert Nick Lewis explains what hot patching is and how to mitigate its flaw.

The APT group, Platinum, has been abusing Windows' hot-patching feature in attacks against government-interest organizations and agencies in South and Southeast Asia. The APT group uses the feature, which was introduced in Windows Server 2003, to inject malicious code into running processes. How do these hot-patching attacks work, and what can be done to address them?

Advanced persistent threat (APT) groups are known to use zero days and built-in tools as part of their attacks. One of the security features introduced in Windows 2003 was hot patching. The Windows Defender Advanced Threat Hunting team detected an APT group, named Platinum, exploiting this feature. The Platinum APT also appears to have the functionality to inject malicious code using other techniques if hot patching doesn't work.

Windows hot patching was a Microsoft initiative to reduce the number of times a server would need to be rebooted. It worked by updating the running executable in memory with the patched code and hooking it so the updated code is used instead of the vulnerable code. Hot-patching functionality is present in Linux and UNIX, as well as Windows. It is used to ensure high availability and removes the need to reboot a system when core operating system processes need to be patched. Hot patching requires performing the action as an administrator, since the operating system is being modified, but an attack group has identified a way to use hot patching to hide their attack.

Enterprises can protect themselves from attacks using hot patches, such as the one by the Platinum group, by first protecting core operating system security and administrative access. Windows 2012 servers have not been reported as containing the insecure hot-patching functionality, so upgrading servers to new versions of the operating system may be reasonable. Standard network monitoring for APTs may also help identify a compromised server when the initial inspection of a server doesn't identify indicators of compromise, and layered defense -- including monitoring the network -- is necessary.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how cybercriminals are using advanced APT-style attacks

Learn about software deployment and patching in endpoint management

Develop a strategy for upgrading your server OS

This was last published in September 2016

Dig Deeper on Microsoft Windows security