Check Point security researchers Itay Cohen and Eyal Itkin were able to track 16 Windows exploits to two different exploit developers. Check Point successfully matched 15 of the exploits to a known exploit developer and found that the exploits were created between 2015 and 2019, which makes up a notable share of the overall Windows Kernel Local Privilege Escalation (LPE) exploits known. The methods used by Check Point researchers were to look for uncommon source code identifiers that can be attributed to a specific developer. Every developer has their particular style and unique coding artifacts such as strings, hardcoded values, PDB paths, coding habits and techniques, code snippets and framework information can be used to identify the individual developer. Check Point stated, “Assuming that exploit authors work independently, and only distribute their code/binary module to the malware authors, we decided to focus on them for a change. By analyzing the exploits embedded in malware samples, we can learn more about the exploit authors, hopefully distinguishing between them by studying their coding habits and other fingerprints left as clues on their identity, when distributing their products to their malware writing counterparts.” When analyzing the distribution of 0-day exploits versus 1-day exploits, researchers found that malware used by government-backed Advanced Persistent Threat (APT) groups accounted for most of the 0-day exploit use, whereas malware used by cyber-criminal groups favored 1-day exploits. This is most likely due to the high price at which 0-day exploits are typically sold.
Analyst Notes
Exploits that allow malware to escalate privileges from a standard user account to a local administrator account are dangerous, and unfortunately all too common. Usually, escalating privilege is the first priority of every attacker after successfully tricking a user into opening a malicious file that gives the attacker remote access to their workstation. Once the attacker has local administrator control, they can steal credentials from memory and start moving laterally to servers. Removing SE_DEBUG_PRIVILEGE from local administrator accounts through Group Policy is one way to help reduce this impact. The proliferation of 1-day exploits suggests that defenders should focus on patching quickly, since use any 1-day exploit can be averted by updating to the latest patch. Research such as this will give us a unique view of malware groups and where they get their exploits from. It shows that just a few talented exploit developers are likely responsible for the privilege escalation exploits used by many malware varieties across APT and criminal groups. This research suggests that focusing on prosecution of exploit developers may have a positive effect on reducing the capabilities of malware across the threat spectrum. All organizations should notify law enforcement when attacks happen so that the coding can be dissected and analyzed to possible track the original author. Most threat groups do not write the exploits that the integrate into their malware, they buy them from authors, so if the original author can be identified, law enforcement can possibly prosecute them.
