Microsoft reveals how it hunted the hacker group ‘PLATINUM’ siphoning corporate data
Microsoft’s Windows Defender Advanced Threat Hunting team identified a group of hackers who apparently used the Windows patches to siphon corporate data. Microsoft in an blogpost today said that the hacker group, PLATINUM(Microsoft uses chemical elements as code names for rogue actors) utilized Hotpatching, which had been discussed as a possible threat vector a decade ago.
Hotpatching vulnerability has not been reported of being exploited in wild as of today despite being revealed a a decade ago. This is the first time any company has acknowledged the exploit being used in the wild. Microsoft blog said that PLATINUM used the Windows Server 2003’s own update system against it, it bypassed most common security scanners.
Windows Server 2003 Service Pack 1 introduced support for hot patching certain core system services. Microsoft released ten different updates for the operating system that used this capability. When the updates were installed a particular way (it wasn’t the default), the update would patch the running system to insert the new, updated code into a server without creating the need to reboot the server. To support this hotpatching, certain versions of Windows include the ability to load a patch DLL and use this DLL to modify running programs. Both regular programs and the kernel can be patched in this way.
The PLATINUM hacker group exploited this very technique in Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 to siphon corporate data.
The issue was corrected when Microsoft removed the hotpatching capability in Windows 8 and subsequent versions including the newly released Windows 10.
Though Microsoft has identified the vector and the gang behind it, hunt for PLATINUM hacker group members is still ongoing.