Microsoft's security researchers say that they have detected that a group of cybercriminals has found a way to turn the Windows Defender patching system against Microsoft themselves, inn order to prevent the technology giant's researchers from detecting their nefarious activities.
Researchers from the Windows Defender Advanced Threat Hunting team have been investigating a particular group of hackers called Platinum that have been conducting cyber espionage campaigns against governmental organisations, defence institutes, intelligence agencies, and telecommunication providers in Southeast Asia and South Asia since 2009.
The reason that Platinum has remained undetected for so long is that the group has gone to great lengths to develop covert techniques to help it stay hidden, and part of this strategy involves hijacking a tool called "hotpatching" that used to be supported by Windows, prior to Windows 8 and Windows 10.
The tool is designed to help push urgent security patches and updates to Windows machines, enabling the PCs to update without needing to be rebooted, or needing processes to be restarted. This tool was shipped with Windows Server 2003.
Because the tool is known to be a genuine Windows process, most security products are unable to detect any problems, so Platinum can quietly use a backdoor in the hotpatching tool to access corporate networks, without being detected. Microsoft observed, in January, that this technique was being used in malware to target a company in Malaysia, and that the hackers had persistently attacked the company over a long period of time.
While not available on the two latest versions of Windows, the hotpatching tool is supported by Windows Vista, Windows 7, Windows Server 2003 Service Pack 1, Windows Server 2008 and Windows Server 2008 R2.
IBTimes UK has contacted the Windows Defender Advanced Threat Hunting team to find out what companies can do if they are still using these products, and is currently awaiting a response.