A report this week on the discovery of an espionage group exploiting a vulnerability in several versions of Windows Server and desktop is another reminder to CISOs that IT staff — particularly administrators — have to constantly watch for potentially dangerous attachments.
The group has been dubbed Platinum by Microsoft’s advanced threat hunting team, which discovered the attackers have been at work since at least 2009 worming into government departments, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers — mainly in Malaysia, Indonesia and China.
A prime weapon is exploiting a Windows feature called hotpatching, which allows the installation of updates without having to reboot or restart a process. A hotpatcher can transparently apply patches to executables and DLLs in actively running processes, and for Platinum it’s a way of injecting code.
However, to take advantage of hotpatching requires administrator-level permissions, so spear-phishing is an essential weapon for initial compromise to get at those credentials.
In a report Microsoft says Platinum often goes after targets at their non-official or private email accounts, to use as a stepping stone into the intended organization’s network.There is also some evidence it uses drive-by attacks against vulnerable browser-plugins.
For the initial infection the attackers typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components (images or scripts or templates) that are delivered to targets only once, says the report. “The group has made concerted efforts towards designing their initial spear-phishes in a manner where the final payload is only delivered to the intended victim.”
Hotpatching was first introduced with Windows Server 2003 and is available in WinServer 2008. It was withdrawn with the release of Windows 8. Microsoft says WinServer 10 isn’t susceptible to this attack. By using hotpatching attackers can avoid the detection of a backdoor to communicate with infected computers from behavioral sensors of many security products. Then the final payload, which exploits unpatched vulnerabilities in a number of pieces of software, can be uploaded.
This points out another lesson from the discovery of this group: The importance of patching. “A number of researched Platinum victims had their public-facing infrastructure compromised through unknown flaws,” says Microsoft. So Internet-facing assets have to run up-to-date applications with security updates, and be watched for for suspicious files and activity.
Microsoft also advises CISOs to consider blocking certain types of websites that don’t serve the interest of the business. Platinum makes extensive use of command and control sites that use dynamic DNS hosts, it points out. “Although such free services can be very useful at a personal level, blocking access to such hosts at a local DNS server can minimize post-compromise activity.”
And it always helps to have systems that record authentications, password changes, and other significant network events can help identify affected systems quickly.