Microsoft's security researchers say that they
have detected that a group of cybercriminals has found a way to turn
the Windows Defender patching system against Microsoft themselves, inn
order to prevent the technology giant's researchers from detecting their
nefarious activities.
Researchers from the Windows Defender Advanced Threat Hunting team have been investigating a particular group of hackers called
Platinum that have been conducting cyber espionage campaigns against
governmental organisations, defence institutes, intelligence agencies,
and telecommunication providers in Southeast Asia and South Asia since
2009.
The reason that Platinum has remained
undetected for so long is that the group has gone to great lengths to
develop covert techniques to help it stay hidden, and part of this
strategy involves hijacking a tool called "hotpatching" that used to be
supported by Windows, prior to Windows 8 and Windows 10.
The tool is designed to help push urgent
security patches and updates to Windows machines, enabling the PCs to
update without needing to be rebooted, or needing processes to be
restarted. This tool was shipped with Windows Server 2003.
Because the tool is known to be a genuine
Windows process, most security products are unable to detect any
problems, so Platinum can quietly use a backdoor in the hotpatching tool
to access corporate networks, without being detected. Microsoft
observed, in January, that this technique was being used in malware to
target a company in Malaysia, and that the hackers had persistently
attacked the company over a long period of time.
While not available on the two latest versions
of Windows, the hotpatching tool is supported by Windows Vista, Windows
7, Windows Server 2003 Service Pack 1, Windows Server 2008 and Windows
Server 2008 R2.
IBTimes UK
has contacted the Windows Defender Advanced Threat Hunting team to find
out what companies can do if they are still using these products, and
is currently awaiting a response.
Post a Comment