The subtle method of cyber insurgency is detailed in a new report by security firm FireEye. The company recently revealed a long-term Chinese hacking campaign against Asian companies, and has now detailed another China-based hacking threat, writes Jon Russell for TechCrunch.
Hackers embedded code embedded in the comment section of TechNet
Hackers have apparently been using the Microsoft web forum TechNet in order to remotely activate malware, which could give the hackers access to an organization’s private network and the data contained in it.
The group of hackers responsible for running the program is known as APT17, and they used TechNet to try and infiltrate a target. The program has now been shut down by Microsoft and FireEye.
APT17 were apparently targeting government agencies, NGOs and legal firms rather than regular users of the site. Attempts to gain access to an organization began by seeding malware with an individual inside the target, perhaps by planting a malicious file via email. If the file was opened, it could then be triggered using code left in the comment section of the TechNet forum.
The software used by the group is known as BLACKCOFFEE, and allows APT17 hackers to upload and download files, terminate processes on a host machine and instigate other backdoor commands. The subtlety of the attack meant that it would not be detected by internal security systems.
Sophisticated strategy likely to become more common
TechNet is a well-regarded site visited by IT professionals from around the world, and embedding malicious code there made it harder to detect than on other websites which are known to be compromised.
“This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down,” FireEye said in its report. Its findings inspired FireEye to contact Microsoft, which then shut down the group’s accounts on TechNet.
FireEye predicts that tactics such as this one will become more common as hackers develop ever more sophisticated techniques.
“Organizations will need new technology to detect these attacks,” said Bryce Boland, FireEye’s APAC CTO. He said that those companies with “highly critical environments shouldn’t allow people to receive content from the internet.”
On the other hand, websites which allow users to post content need to be wary of the misuse of this ability, he continued.