Check Point security researchers Itay Cohen and Eyal Itkin were able to track 16 Windows exploits to two different exploit developers. Check Point successfully matched 15 of the exploits to a known exploit developer and found that the exploits were created between 2015 and 2019, which makes up a notable share of the overall Windows Kernel Local Privilege Escalation (LPE) exploits known. The methods used by Check Point researchers were to look for uncommon source code identifiers that can be attributed to a specific developer. Every developer has their particular style and unique coding artifacts such as strings, hardcoded values, PDB paths, coding habits and techniques, code snippets and framework information can be used to identify the individual developer. Check Point stated, “Assuming that exploit authors work independently, and only distribute their code/binary module to the malware authors, we decided to focus on them for a change. By analyzing the exploits embedded in malware samples, we can learn more about the exploit authors, hopefully distinguishing between them by studying their coding habits and other fingerprints left as clues on their identity, when distributing their products to their malware writing counterparts.” When analyzing the distribution of 0-day exploits versus 1-day exploits, researchers found that malware used by government-backed Advanced Persistent Threat (APT) groups accounted for most of the 0-day exploit use, whereas malware used by cyber-criminal groups favored 1-day exploits. This is most likely due to the high price at which 0-day exploits are typically sold.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.