View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft TechNet beseiged by Chinese hacking gang

Attackers hid malicious commands on IT trade forum.

By Jimmy Nicholls

Microsoft TechNet, a website for the IT trade, is under attack from an advanced Chinese hacking gang trying a novel method of hosting its command and control (C&C) server, according to the security vendor FireEye.

The hackers, dubbed APT17, were found using TechNet forum threads and profile pages to host encoded C&C traffic directing the backdoor malware BlackCoffee to their server, in an attack that could be replicated across other forums even on otherwise secure sites.

Laura Galante, manager of threat intelligence at FireEye, said: "This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organisations to detect and prevent advanced threats.

"Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world."

APT17 has in the past targeted US government bodies, nongovernmental organisations and private companies in law, IT a mining throughout the world.

Though the tactic of hiding their activities on forums is relatively modern, the group has in the past been spotted using search engines such as Google and Bing to disguise their attacks.

To combat the problem on TechNet, Microsoft and FireEye replaced the encoded domains with ones that they could control.

Content from our partners
A hybrid strategy will help distributors execute a successful customer experience
Amalthea leverages AI and automation to improve yield while minimising waste and costs
How AI is unlocking valuable opportunities in the insurance industry

"By working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities," Galante said.

BlackCoffee is capable of uploading and downloading files, and can create a reverse shell that communicates back to the machine that is attacking it.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.