Security Experts Develop New 'Fingerprinting' Technique to Link Russian Hacking Groups to Windows Exploit Sellers

Security researchers developed a new technique to track hackers through their "fingerprints." They were able to link Windows local privilege escalation (LPE) exploits two different authors.

Researchers Develop New Technique to Track Hackers Through Their 'Fingerprints'
LONDON, ENGLAND - AUGUST 10: In this photo illustration, a man is seen using a mobile phone in the light of a projection of a thumbprint on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks. Photo by Leon Neal/Getty Images

They believed that the Windows exploit sellers sold their creations previously to advanced Russian threat (APT) groups and other clients. According to the cybersecurity firm Check Point's blog post, the new strategy was developed off the back of a customer response incident, which a small 64-bit executable was found during the cyber attack.

The team analyzed the file and found unique bug strings that are directed to an attempt to utilize a vulnerability on one of the target machines. A leftover PDB path (...cve-2019-0859x64ReleaseCmdTest.pdb0) was discovered in the file, which indicated that the use of a real-world exploit tool.

The security researchers decided to use the new technique to "fingerprint" recognizable, unique identifiers, which are considered as the work of specific exploit developers. Check Point secured another 32-bit file, which revealed the compiled works of the same individual.

The security researchers also analyzed the cybercriminals' elevation techniques.

Check Point researchers also studied unique artifacts in internal file names, binary code, PBD paths, and hardcoded values, such as crypto constants. They also analyzed the garbage values, string usage, data tables, syscall wrappers, and code snippets.

Researchers Develop New Technique to Track Hackers Through Their 'Fingerprints'
LONDON, ENGLAND - AUGUST 09: In this photo illustration, a thumbprint is projected onto a man on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks. Photo by Leon Neal/Getty Images

The team also analyzed the hacker's preferred elevation and leaking techniques, whether or not heal spraying was used. They also investigated the general process of the exploits.

On the other hand, the two small binaries turned into a flow of new samples, which are all based on the newly-established Check Point hunting rules. The security experts then observed the new samples and analyzed the techniques used, allowing them to identify two exploit sellers.

For more news updates about hackers and other cyber attackers, always keep your tabs open here at TechTimes.

This article is owned by TechTimes,

Written by: Giuliano de Leon.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics