Saturday, July 2, 2022

Another reminder that attackers use spear phishing for initial compromise

A report this week on the discovery of an espionage group exploiting a vulnerability in several versions of Windows Server and desktop is another reminder to CISOs that IT staff — particularly administrators — have to constantly watch for potentially dangerous attachments.

The group has been dubbed Platinum by Microsoft’s advanced threat hunting team, which discovered the attackers have been at work since at least 2009 worming into government departments, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers — mainly in Malaysia, Indonesia and China.

A prime weapon is exploiting a Windows feature called hotpatching, which allows the installation of updates without having to reboot or restart a process. A hotpatcher can transparently apply patches to executables and DLLs in actively running processes, and for Platinum it’s a way of injecting code.

However, to take advantage of hotpatching requires administrator-level permissions, so spear-phishing is an essential weapon for initial compromise to get at those credentials.

In a report Microsoft says Platinum often goes after targets at their non-official or private email accounts, to use as a stepping stone into the intended organization’s network.There is also some evidence it uses drive-by attacks against vulnerable browser-plugins.

For the initial infection the attackers typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components (images or scripts or templates) that are delivered to targets only once, says the report. “The group has made concerted efforts towards designing their initial spear-phishes in a manner where the final payload is only delivered to the intended victim.”

Hotpatching was first introduced with Windows Server 2003 and is available in WinServer 2008. It was withdrawn with the release of Windows 8. Microsoft says WinServer 10 isn’t susceptible to this attack. By using hotpatching attackers can avoid the detection of a backdoor to communicate with infected computers from behavioral sensors of many security products. Then the final payload, which exploits unpatched vulnerabilities in a number of pieces of software, can be uploaded.

This points out another lesson from the discovery of this group: The importance of patching. “A number of researched Platinum victims had their public-facing infrastructure compromised through unknown flaws,” says Microsoft. So Internet-facing assets have to run up-to-date applications with security updates, and be watched for for suspicious files and activity.

Microsoft also advises CISOs to consider blocking certain types of websites that don’t serve the interest of the business. Platinum makes extensive use of command and control sites that use dynamic DNS hosts, it points out. “Although such free services can be very useful at a personal level, blocking access to such hosts at a local DNS server can minimize post-compromise activity.”

And it always helps to have systems that record authentications, password changes, and other significant network events can help identify affected systems quickly.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.