PLATINUM (cybercrime group)

Last updated

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. [1] They are secretive and not much is known about the members of the group. [2] The group's skill means that its attacks sometimes go without detection for many years. [1]

Contents

The group, considered an advanced persistent threat, has been active since at least 2009, [3] targeting victims via spear-phishing attacks against government officials' private email addresses, zero-day exploits, and hot-patching vulnerabilities. [4] [5] Upon gaining access to their victims' computers, the group steals economically sensitive information. [1]

PLATINUM succeeded in keeping a low profile until their abuse of the Microsoft Windows hot patching system was detected and publicly reported in April 2016. [2] This hot patching method allows them to use Microsoft's own features to quickly patch, alter files or update an application, without rebooting the system altogether. This way, they can maintain the data they have stolen while masking their identity. [2]

In June 2017, PLATINUM became notable for exploiting the serial over LAN (SOL) capabilities of Intel's Active Management Technology to perform data exfiltration. [6] [7] [8] [9] [10] [11] [12] [13]

PLATINUM's techniques

PLATINUM has been known to exploit web plugins, at one point infiltrating the computers of several Indian government officials 2009, using a website that provided an email service.[ clarification needed ] [1]

Once in control of a target's computer, PLATINUM actors can move through the target's network using specially built malware modules. These have either been written by one of the multiple teams working under the Platinum group umbrella, or they could have been sold through any number of outside sources that Platinum has been dealing with since 2009. [1]

Because of the diversity of this malware, the versions of which have little code in common, Microsoft's investigators have taxonomised it into families. [1]

The piece of malware most widely used by PLATINUM was nicknamed Dispind by Microsoft. [1] This piece of malware can install a keylogger, a piece of software that records (and may also be able to inject) keystrokes.[ citation needed ]

PLATINUM also uses other malware like "JPIN" which installs itself into the %appdata% folder of a computer so that it can obtain information, load a keylogger, download files and updates, and perform other tasks like extracting files that could contain sensitive information. [1]

"Adbupd" is another malware program utilised by PLATINUM, and is similar to the two previously mentioned. It is known for its ability to support plugins, so it can be specialised, making it versatile enough to adapt to various protection mechanisms. [1]

Intel Exploit

In 2017, Microsoft reported that PLATINUM had begun to exploit a feature of Intel CPUs. [14] The feature in question is Intel's AMT Serial-over-LAN (SOL), which allows a user to remotely control another computer, bypassing the host operating system of the target, including firewalls and monitoring tools within the host operating system. [14]

Security

Microsoft advises users to apply all of their security updates to minimize vulnerabilities and to keep highly sensitive data out of large networks. [1] Because PLATINUM targets organizations, companies and government branches to acquire trade secrets, anyone working in or with such organizations can be a target for the group. [15]

See also

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

<span class="mw-page-title-main">Wake-on-LAN</span> Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message. It is based upon AMD's Magic Packet Technology, which was co-developed by AMD and Hewlett-Packard, following its proposal as a standard in 1995 – The standard saw quick adoption thereafter through IBM, Intel and others.

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the original Norton 360 security suite. The suite was once again rebranded to Norton 360 in 2019.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

<span class="mw-page-title-main">BadUSB</span> Cybersecurity attack using USB devices

BadUSB is a computer security attack using USB devices that are programmed with malicious software. For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. This attack works by programming the fake USB flash drive to emulate a keyboard, which once plugged into a computer, is automatically recognized and allowed to interact with the computer, and can then initiate a series of keystrokes which open a command window and issue commands to download malware.

The following outline is provided as an overview of and topical guide to computer security:

Control-flow integrity (CFI) is a general term for computer security techniques that prevent a wide variety of malware attacks from redirecting the flow of execution of a program.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638. The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

References

  1. 1 2 3 4 5 6 7 8 9 10 "PLATINUM Targeted attacks in South and Southeast Asia (PDF)" (PDF). Windows Defender Advanced Threat Hunting Team (Microsoft). 2016. Retrieved 2017-06-10.
  2. 1 2 3 Osborne, Charlie. "Platinum hacking group abuses Windows patching system in active campaigns". ZDNet. Retrieved 2017-06-09.
  3. Eduard Kovacs (2017-06-08). ""Platinum" Cyberspies Abuse Intel AMT to Evade Detection". SecurityWeek.Com. Retrieved 2017-06-10.
  4. Eduard Kovacs (2016-04-27). ""Platinum" Cyberspies Abuse Hotpatching in Asia Attacks". SecurityWeek.Com. Retrieved 2017-06-10.
  5. msft-mmpc (2016-04-26). "Digging deep for PLATINUM – Windows Security". Blogs.technet.microsoft.com. Retrieved 2017-06-10.
  6. Peter Bright (2017-06-09). "Sneaky hackers use Intel management tools to bypass Windows firewall". Ars Technica. Retrieved 2017-06-10.
  7. Tung, Liam (2014-07-22). "Windows firewall dodged by 'hot-patching' spies using Intel AMT, says Microsoft". ZDNet. Retrieved 2017-06-10.
  8. msft-mmpc (2017-06-07). "PLATINUM continues to evolve, find ways to maintain invisibility – Windows Security". Blogs.technet.microsoft.com. Retrieved 2017-06-10.
  9. Catalin Cimpanu (2017-06-08). "Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls". Bleepingcomputer.com. Retrieved 2017-06-10.
  10. Juha Saarinen (2017-06-08). "Hackers abuse low-level management feature for invisible backdoor - Security". iTnews. Retrieved 2017-06-10.
  11. Richard Chirgwin (2017-06-08). "Vxers exploit Intel's Active Management for malware-over-LAN. Platinum attack spotted in Asia, needs admin credentials". The Register. Retrieved 2017-06-10.
  12. Christof Windeck (2017-06-09). "Intel-Fernwartung AMT bei Angriffen auf PCs genutzt | heise Security". Heise.de. Retrieved 2017-06-10.
  13. "PLATINUM activity group file-transfer method using Intel AMT SOL | Windows Security Blog | Channel 9". Channel9.msdn.com. 2017-06-07. Retrieved 2017-06-10.
  14. 1 2 "Platinum hacker group uses Intel AMT", Tad Group, 2017-09-25
  15. Liu, Jianhong (2017-07-15). Comparative Criminology in Asia. Springer. ISBN   9783319549422.