Researchers use 'fingerprints' tech to spot Russian hackers

[[correlate]]

Content source

https://www.indiatvnews.com/technology/news-researchers-use-fingerprints-tech-to-spot-russian-hackers-653998

Hackers too leave their fingerprints as they attack enterprises and individuals and cyber security researchers have now developed a new technique to "fingerprint" them, spotting two prolific Russian-origin sellers of Windows exploits.
The team from cyber security firm Check Point, when analysing a complicated attack against one of their customers, noticed a very small 64-bit executable that was executed by the malware. The sample contained unusual debug strings that pointed at an attempt to exploit a vulnerability on the victim machine.


https://www.indiatvnews.com/author/ians

Researchers use 'fingerprints' tech to spot Russian hackers

Hackers too leave their fingerprints as they attack enterprises and individuals and cyber security researchers have now developed a new technique to 'fingerprint' them, spotting two prolific Russian-origin sellers of Windows exploits.

www.indiatvnews.com

 

[silversurfer]

Graphology of an Exploit - Hunting for exploits by looking for the author's fingerprints - Check Point Research

Just like programmers leave their fingerprints in their code, so do exploit developers. We were able to apply the same techniques used to track malware authors and APT groups to draw a digital composite sketch of 2 prominant exploit writers.

research.checkpoint.com

Conclusion
Our research methodology was to fingerprint an exploit writer’s characteristics and later on use these properties as a unique hunting signature. We deployed this technique twice when tracking down Volodya’s exploits and those of PlayBit. Having these two successful test cases, we believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal.

During this research, we focused on the exploits that are used by or embedded in different malware families, both in APT attacks and in commodity malware (especially ransomware). Although they are widespread, we often found detailed malware reports that neglected to mention that the malware at hand also uses an exploit for escalating its privilege.

The fact that we were able to use our technique, repeatedly, to track 16 Windows LPE exploits, written and sold by two different actors, was very surprising. Considering that 15 of them date to the timeframe of 2015-2019, it is plausible to assume that they constitute a significant share of the exploitation market, specifically for Windows LPE exploits.

Finally, it is impossible to tell the overall number of Windows kernel 0-day vulnerabilities that are being actively exploited in the wild. Nation-state actors are less likely to get caught and thus the infosec community does not have clear visibility to their ammo crate. That said, we can still get insights by looking at the exploits that were caught, while remembering this survivorship bias. Last year, Kaspersky reported a single actor who distributed an exploit framework that includes 3 more 0-Days. Adding up these numbers, we see that 8 out of 15 zero-day exploits, more than half of the “market-share”, are attributed to only two actors(!). This means that our research technique could potentially be used to track down many of the actors in the seen market, if not all of them.

 

[Dave Russo]

Malwarebytes or Hitmanpro Alert or Microsoft Emet,are any or all of these programs enough to cover exploits vulnerabilities?
Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. ??? Any incite here is appreciated

 

[plat]

EMET doesn't run on later Windows 10 versions, like 1809 to present. We have various Exploit Guards found under App and browser control. This is where you can find SmartScreen settings and Potentially unwanted app blocking, as well as SmartScreen for Microsoft Store apps (in Reputation-based protection).

For Exploit protection:

Under System settings: 6 of 7 mitigations are enabled by default
Under Program settings: there are numerous overrides for various .exe but it's tricky-to-impossible to add your own without silent blocks. It's trial by error, imo. That's one reason I use script-blocking third parties plus firewall hardening. There's the standalone Malwarebytes MBAE's perpetual beta, which I think is still around. Haven't used it though.

I used to run EMET in Windows 8.1. Not user-friendly at all but curiously effective once you configured it properly.

EMET end of life

edit: typo