Cyberespionage group Platinum is utilizing an obscure Windows feature called hotpatching to better hide malware from security monitoring. The attacks are prevalent throughout South and Southeast Asia, in particular Indonesia, China, and Malaysia.
Platinum has been operational since 2009 and tends to lean toward spear phishing as its main form of initial contact with its cyber attack victims. Through these spear phishing attacks, they target specific groups or people and then install custom malware into the system through an otherwise unheard of gap in the user’s network. This seems to be the case with these most recent attacks on Windows networks – the vulnerability in question, known as hotpatching, allowed for updates to the Windows network without having to reboot; the capability was removed from Windows versions 8 and beyond. Originally discovered presented to a conference in 2013 by a security researcher, this is the first time that Microsoft has seen this type of attack occur at such a high rate.
There are a few key points that should be noted within this story that can be used within an organization or company regardless of its industry. One significant point is that spear phishing campaigns were used as the initial in-road to inject the malware while using hotpatching as a cover. Mentioned previously throughout this blog it is beyond paramount to have safeguards in both the technical and personnel sense; in other words, research and utilize strong email cyber security protection, as well as educating employees on spotting conspicuous messages, or odd links and attachments. Second is that hotpatching ran its course and was not used on versions past Windows 8; that means the users experiencing these attacks have not updated their networks. Take action immediately and confirm your network is running the latest version of its operating system, and security checks are up-to-date; it can save a lot of time, money, and headache down the road.
Hotpatching is avoidable on a variety of levels, but unfortunately it seems that organizations are being hit via spear phishing attacks and a lack of network updates. A lot of cyber attacks, even this one, are avoidable if you take the necessary precautions ahead of time – consult with cyber security personnel of your choice and have plans in place for the present and future.