Platinum malware using Hot Patching since 2009

A group that Microsoft researchers call Platinum has been leveraging a technique known as hot patching to hide it's malware from security products. This group has been effectively using this technique since 2009, and has possibly infected many Asian government, defence and intelligence agencies.

The group has traditionally used spear phishing to target specific organizations and individuals as its main attack vector, following it with exploits for zero-day vulnerabilities to install custom malware. To remain stealth, it launches only a few attack campaigns each year. The custom malware used by this group has self-deletion capabilities and is designed to hide in target's peak traffic, by only operating during target's business hours.

Hotpatching is an obscure feature that was first introduced in Windows Server 2003 and allows dynamic update of system components without the need for a system restart. Hotpatching was removed in Windows 8 and later versions, because it was rarely used. During the 12-year support life of Windows Server 2003, only 10 patches used this technique. The potential use of hotpatching as a stealth way to inject malicious code into running processes was described by security researcher Alex Ionescu at the SyScan security conference in 2013. And it is his technique that the Platinum group uses.

Third Party Risk Assessments

In today's business world, IT risk plays an important role. Every business executive understands Risk and the need to balance "risk and reward" effectively; and have a good handle on risks viz., credit risk, operation risk and market risk among others. In many instances this is even strengthened by regulatory requirements. Still most business fail to measure IT Risk appropriately, some entirely fail to incorporate Third party IT risk.

In an era, where cyber-attacks are imminent, it is increasingly important for businesses to understand their IT Risk, and specifically Third Party Risk. According to a recent report by Booz Allen Hamilton, third parties were the number-one security risk to financial services firms in 2015.

Some businesses are making an effort to review their 3rd party agreements, and include cyber security requirements and annual reviews into their contracts, but is this enough?

Third party security risk management requires regular reassessments to ensure security, privacy and compliance is in order. Though most vendors prefer multi-year agreements, but risk assessments should be an annual practice. Maintain a quality IT risk assessment questionnaire to elicit responses from your third parties. As a best practice you should also reassess risk and security posture, whenever the contracts are updated or changed. A key point worthy of mention here is to pay attention to the tone of the responses, rather than just content alone. Your questionnaire should elicit responses and possibly discussions from the service provider and should not be a simple binary "Yes"/"No" checklist.

Now this could be burdensome for many organizations. In such cases, you may be able to lean on MSSPs to engage resources for this effort. Independent third party certifications like SSAE 16, SOC1 and SOC2 or ISO 27001 may be of value too. "SecurityScoreCard.com" is also a good resource. Don't forget to ask for evidence of a recent DR/BCP test, incident response test and  Risk Assessment reports. Keeping track of these results and documenting them year over year, will go a long way in helping track the provider’s progress over time.

Communication processes or "who notifies who, of what, when and how" is very important. Lay down clear guidelines about data ownership, breach notifications and subpoenas, and responsibilities of either party. Understand where the hand-offs occur and who are responsible. Prefer titles to names. 

Businesses are constantly changing and evolving, so should the relationship with your third parties. Third party due diligence will help maintain a healthy relationship with your third parties, and with a good understanding of security risks, your business can innovate, grow and reach its business goals.

5 Ways to Avoid a Cryptolocker Crisis

“You are infected. If you want to use your data again, pay us 300USD.”

Cryptolocker — a ransomware developed by cyber criminals that encrypts all the files on the infected computer and demand ransom to provide the user with a decryption key, has infected hundreds and thousands of computers all around the world and has collected up to $30 million in ransom so far. What makes this code highly destructive is that the decryption key, which can be used to regain access to the encrypted files, is available only with the hackers, and once the key is lost, the encrypted data is essentially lost forever.  

So, if you don’t want your computer to get infected by this ransomware that can lock all your personal and business files and restrict your access to them until you pay a ransom to the hackers, it is important that you follow the 5 safety tips given below that minimize your vulnerability against Cryptolocker.

1.    Backup Everything

There’s no way you can retrieve your data once Cryptolocker has infected your computer. Therefore, create regular backups. Follow the 3-2-1 backup rule to mitigate data loss risk due to Cryptolocker.

The 3-2-1 backup rule suggests you to:

          3 — Have three copies of your data

          2 — Keep the backups on two different media  

          1 — Have one offsite backup

Also, make sure that the data present on your portable hard drives and USB flash drives has been backed up too because Cryptolocker can infect your portable data storage devices as well.

2.    Cleanup Your Machine

When you have no other choice than to pay off the ransom, make sure that you have taken every possible measure to prevent the spread of this highly virulent infection. Disconnect the internet connection of the infected machine, turn off cloud backup services, and remove any portable storage device connected to the computer. Don’t forget to report the cyber crime to the relevant local or federal authority.

3.    Don’t Open Suspicious Emails

No matter how strong the temptation is, never open unsolicited emails or emails that imbibe suspicion or a sense of urgency. If you have accidentally downloaded an attachment that looks dodgy, immediately run an anti-virus program to kill any destructive codes present in it before they damage your computer.

4.    Control the Access Rights of Your Employees

The BYOD culture and excessive use and sharing of encrypted data have made networks more vulnerable to different types of ransomware. Review the access rights of your employees and offer only what’s necessary. Also, educate your network users regarding best data handling practices and guide them to contact the IT security personnel if they suspect an infection.

5.    Patch to Protect

Cyber criminals are exploiting on the vulnerabilities of Microsoft and Adobe to gain access to the users’ computers and infect them. Therefore, it is advisable that you keep your systems updated with the latest virus definitions and patches.

Using these tips, you can minimize your chances of getting a Cryptolocker infection.