Researchers use ‘fingerprints’ to track Windows exploit developers


More to the point, Check Point security researchers Itay Cohen and Eyal Itkin were able to track 16 Windows Kernel Local Privilege Escalation (LPE) exploits to two different exploit developers known as Volodya (or BuggiCorp) and PlayBit (or luxor2008).

15 of the exploits Check Point successfully matched to a known exploit dev were created between 2015 and 2019, potentially making up a notable share of the overall Windows LPE exploitation market at the time.

Searching for unique artifacts

Their method involves looking for uncommon source code identifiers that can be associated with a specific exploit writer such as unique artifacts (such as strings, hardcoded values, and PDB paths), coding habits and techniques, code snippets, and framework info.

Read more…
Source: Bleeping Computer