By Eduard Kovacs on May 14, 2015 The Chinese threat actor known as APT17 and DeputyDog has been using profile pages and forum threads on Microsoft’s TechNet web portal to host IP addresses for command and control (C&C) servers.
Researchers at FireEye Threat Intelligence and the Microsoft Threat Intelligence Center have prepared a brief report on the advanced persistent threat (APT) actor’s C&C obfuscation techniques.
Experts have determined that the attackers haven’t actually compromised Microsoft’s website. Instead, they are using the portal’s legitimate functionality to host encoded strings that hide C&C IP addresses. Full Article
Chinese Threat Group Uses Microsoft's TechNet Portal to Host C&C IPs
+54
This Chinese threat actor is like a leach...........will tag on to any means to exploit a malicious code
4 May 2015 at 12:49, John Leyden
Cyber-spies are increasingly attempting to hide their command and control operations in plain sight by burying their command infrastructure in the forums of internet heavyweights, including Microsoft.
FireEye and Microsoft have successfully shut down the Chinese threat actor APT17’s use of the MSFT TechNet blog to hide their hacking operations. State-sponsored hackers were posting comments on TechNet in order to embed encoded commands that only their malware could use.
full article
Cyber-spies are increasingly attempting to hide their command and control operations in plain sight by burying their command infrastructure in the forums of internet heavyweights, including Microsoft.
FireEye and Microsoft have successfully shut down the Chinese threat actor APT17’s use of the MSFT TechNet blog to hide their hacking operations. State-sponsored hackers were posting comments on TechNet in order to embed encoded commands that only their malware could use.
APT17, a China-based advanced persistent threat group, posted in forum threads and created profile pages to host encoded C2 IP addresses that would direct a variant of the BLACKCOFFEE backdoor to their C2 server. TechNet’s security was not compromised by this tactic, which could also work on other forums and boards.Most threat actors choose to compromise or hijack easily manipulated websites to host command and control nodes, which is a very noisy tactic that allows for quick detection of their location. APT17’s tactics of embedding phone home instructions on Microsoft’s forums are more subtle, but not unprecedented in the wider field of botnet communications. For example, some zombie networks have previously made use of Twitter profiles as a communication channel. APT17 had been observed using popular search engines including Google and Bing to hide their activities and host locations from security researchers.
full article
+54Summary: The companies say the TechNet website was being used as part of a Chinese hacking group's malware campaigns.
By Charlie Osborne for Zero Day | May 15, 2015
As TechNet supports a vast amount of traffic and hosts an open forum where Microsoft software customers can ask and respond to questions, the platform was an excellent conduit for hiding hacking activities.
"This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time," FireEye said.
"TechNet's security was in no way compromised by this tactic."
http://zdnet2.cbsistatic.com/hub/i/r/2015/05/15/8db7524b-78f1-4913-b9c3-ea0b669a4469/resize/770x578/fdf83dd5cdbc8828255a81f53147b1bf/screen-shot-2015-05-15-at-10-43-22.png
Deputy Dog is a well-known Chinese hacking group which has launched attacks against tech firms, mining companies, defense contractors, law firms and US government agencies. The group has also been linked to attacks on Japanese targets.
Full Article
By Charlie Osborne for Zero Day | May 15, 2015
As TechNet supports a vast amount of traffic and hosts an open forum where Microsoft software customers can ask and respond to questions, the platform was an excellent conduit for hiding hacking activities.
"This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time," FireEye said.
"TechNet's security was in no way compromised by this tactic."
http://zdnet2.cbsistatic.com/hub/i/r/2015/05/15/8db7524b-78f1-4913-b9c3-ea0b669a4469/resize/770x578/fdf83dd5cdbc8828255a81f53147b1bf/screen-shot-2015-05-15-at-10-43-22.png
Deputy Dog is a well-known Chinese hacking group which has launched attacks against tech firms, mining companies, defense contractors, law firms and US government agencies. The group has also been linked to attacks on Japanese targets.
Full Article
Excellent article Jeff....................this group appears to be very
organized and dangerous, these companies must keep their security tight
and be vigilant.
organized and dangerous, these companies must keep their security tight
and be vigilant.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.