View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft TechNet beseiged by Chinese hacking gang

Attackers hid malicious commands on IT trade forum.


Microsoft TechNet, a website for the IT trade, is under attack from an advanced Chinese hacking gang trying a novel method of hosting its command and control (C&C) server, according to the security vendor FireEye.

The hackers, dubbed APT17, were found using TechNet forum threads and profile pages to host encoded C&C traffic directing the backdoor malware BlackCoffee to their server, in an attack that could be replicated across other forums even on otherwise secure sites.

Laura Galante, manager of threat intelligence at FireEye, said: "This latest tactic by APT17 of using websites’ legitimate functionalities to conduct their communications shows just how difficult it is for organisations to detect and prevent advanced threats.

"Given its effectiveness, we anticipate that this encoding and obfuscation will become a truly pervasive tactic adopted by threat actors around the world."

APT17 has in the past targeted US government bodies, nongovernmental organisations and private companies in law, IT a mining throughout the world.

Though the tactic of hiding their activities on forums is relatively modern, the group has in the past been spotted using search engines such as Google and Bing to disguise their attacks.

To combat the problem on TechNet, Microsoft and FireEye replaced the encoded domains with ones that they could control.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

"By working closely with companies like Microsoft and targeted organizations to develop threat intelligence, we can assist security professionals and disrupt these activities," Galante said.

BlackCoffee is capable of uploading and downloading files, and can create a reverse shell that communicates back to the machine that is attacking it.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy