Last year, Microsoft made a big deal about how it was investing a billion dollars in building out its security apparatus. On the Microsoft Malware Protection Center’s Threat Research & Response Blog, they shared a little bit about how that has paid off with the story of how the Windows Defender Advanced Threat Hunting team, or just Hunters for short, thwarted a long-running attack that utilized a series of bad patches and deep discretion.
The attack utilized Hotpatching, which had been discussed as a possible threat vector a decade ago but, until now, never seen in the wild. It was performed by a rogue actor group Microsoft has codenamed Platinum (Microsoft uses chemical elements as code names for rogue actors).
What’s interesting in the case study is that this wasn’t exactly an unknown vulnerability, having been publicly discussed over a decade ago, but it was one that was still first successfully used almost a decade after it was publicly disclosed. Because the technique uses Windows Server 2003’s own update system against it, it bypassed most common security scanners.
But beyond the technical details, there’s a lot of high drama. Unlike many of the threats that are reported on publicly, Microsoft said Platinum seeks to keep a low profile for years, targeting “governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia.”
Windows 10 is not vulnerable to this attack, according to Microsoft.
This first ran at http://windowsitpro.com/security/microsoft-shares-how-it-hunted-secretive-rogue-actor-siphoning-corporate-data