Platinum Nugget. Image Source: Wikipedia
There are basically two types of hacking teams. The first type is after quick profit, harvesting credit card numbers and banking details. The second type is more dangerous, even though it may not directly affect the financial state of victims, as it is concentrated on long-term espionage.
Moreover, the targets of such hacking teams are usually government organizations, intelligence and defense agencies, or even ISPs.
Now, imagine that there is one particular hacking team that has been attacking all of the above, and has been so persistent that even Microsoft’s Windows Defender Advanced Threat Hunting team isn’t nearly close to identifying the team.
A Look into PLATINUM Hacking Team’s Attacks
This hacking team has been labeled PLATINUM, following Microsoft’s tradition of naming threat groups after chemical compounds.
PLATINUM’s members have applied numerous techniques over time, and have exploited many zero-day vulnerabilities to break into victims’ system and infect their networks. Microsoft has just released a detailed report describing PLATINUM’s weaponry, and it’s published on Microsoft Technet.
One of the techniques is particularly interesting – it employs Windows’ capabilities against… Windows. It is called hotpatching:
Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.
Microsoft’s Hotpatching Leveraged
Hotpatching was originally introduced in Windows Server 2003. The advanced hacking team has used hotpatching against Windows Server 2003, Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7. Hotpatching is not available in Windows 8 anymore, while Windows 10 is not prone to such attacks at all.
Microsoft’s investigation points that PLATINUM has been active since 2009, primarily targeting governmental organizations, intelligence agencies and telecommunication providers in South and Southeast Asia.
The group has developed advanced and, not surprisingly, surreptitious techniques that help them remain undetected and successful in all attacks. The worst thing is that “silent” cyber-espionage campaigns can be happening in an extended period of time, without the slightest suspicion.
One of the samples investigated by MS’S team of pros not only supported hotpatching but was also able to apply more common code-injection techniques, including the listed below, into common Windows processes such as winlogon.exe, lsass.exe and svchost.exe:
NtQueueApcThread to run an APC in a thread in the target process
Was Really Caught by Surprise?
As pointed out by Arstechnica, the IT community was warned about the employment of hotpatching in malicious scenarios in 2013 at SyScan. This is when security researcher Alex Ionescu described the ways hotpatching could be applied to modify systems to inject malware without the need of injecting DLLs. The researchers recently tweeted that “My SyScan 2012 hotpatching attack now used in the wild!”, linking to Microsoft’s Technet article about PLATINUM.
Microsoft is still “digging for Platinum”. Obviously, they have no idea as to who is pulling the strings of these persistent cyber espionage operations. It remains unclear why the company didn’t do anything to avoid hotpatching attacks. The Windows Defender Advanced Threat Hunting Team should have definitely seen this coming.
Not to mention that in 2006, during the Black Hat conference, security researcher Alex Sotirov described the inner workings of hotpatching and also talked about how third parties had suggested patches for Windows vulnerabilities before the release of official fixes.