Security researchers developed a new technique to track hackers through their "fingerprints." They were able to link Windows local privilege escalation (LPE) exploits two different authors.
They believed that the Windows exploit sellers sold their creations previously to advanced Russian threat (APT) groups and other clients. According to the cybersecurity firm Check Point's blog post, the new strategy was developed off the back of a customer response incident, which a small 64-bit executable was found during the cyber attack.
The team analyzed the file and found unique bug strings that are directed to an attempt to utilize a vulnerability on one of the target machines. A leftover PDB path (...\cve-2019-0859\x64\Release\CmdTest.pdb0) was discovered in the file, which indicated that the use of a real-world exploit tool.
The security researchers decided to use the new technique to "fingerprint" recognizable, unique identifiers, which are considered as the work of specific exploit developers. Check Point secured another 32-bit file, which revealed the compiled works of the same individual.
The security researchers also analyzed the cybercriminals' elevation techniques.
Check Point researchers also studied unique artifacts in internal file names, binary code, PBD paths, and hardcoded values, such as crypto constants. They also analyzed the garbage values, string usage, data tables, syscall wrappers, and code snippets.
The team also analyzed the hacker's preferred elevation and leaking techniques, whether or not heal spraying was used. They also investigated the general process of the exploits.
On the other hand, the two small binaries turned into a flow of new samples, which are all based on the newly-established Check Point hunting rules. The security experts then observed the new samples and analyzed the techniques used, allowing them to identify two exploit sellers.
For more news updates about hackers and other cyber attackers, always keep your tabs open here at TechTimes.
This article is owned by TechTimes,
Written by: Giuliano de Leon.