APT17 exploit on Microsoft TechNet nothing novel, say experts
FireEye has revealed that a China-based hacking group has been using Microsoft TechNet as a relay for C&C addresses for BlackCoffee malware, but experts tell us it's nothing novel.
Chinese hackers have been using Microsoft Technet to hide IP addresses for command and control servers in plain sight, researchers at FireEye revealed on Thursday.
However, the revelations have not come as a real surprise to security experts, many of whom have told SCMagazineUK.com that they have seen similar techniques used elsewhere.
According to FireEye, the encoded IP addresses are meant to be accessed by a variant of the BlackCoffee backdoor and then decoded to give it the location of its command and control (C&C) server.
This particular obfuscation tactic was discovered in late 2014 by FireEye Threat Intelligence and the Microsoft Threat Intelligence Center.
The threat group – which FireEye has identified as APT17, an advanced persistent threat commonly called 'Deputy Dog' based in China – exploited the ability to create profiles and post on forums to embed encoded C&C addresses.
In a blog post, FireEye wrote: “This technique can make it difficult for network security professionals to determine the true location of the C&C, and allow the C&C infrastructure to remain active for a longer period of time.” FireEye emphasised that TechNet's security was not affected.
“This latest tactic by APT17 of using websites' legitimate functionalities to conduct their communications shows just how difficult it is for organisations to detect and prevent advanced threats,” said Laura Galante, manager, threat intelligence, FireEye. More information can be found in FireEye's initial report, entitled “Hiding in plain sight”.
However, a number of experts have told SC that there's nothing really new in this technique.
Marta Janus, security researcher, global research and analysis team, Kaspersky Lab told SC: “Although this method is fairly sophisticated, it's nothing really new. We have already seen malware that communicates with C&C servers using legitimate web pages... Many of the contemporary backdoors are using fake Twitter accounts or ICQ statuses to pass the commands to the bots.”
Sarb Sembhi, director, Storm Guidance said, “I'm not surprised because if you look at the way they used Microsoft Technet to relay the IP address of the command and control server, it was really only a matter of time before someone came up with the idea of separating the C&C data from the malware. It's clear that they didn't want the address of the command and control server stored in the malware itself. That's the key reason to do this, to hide where the server is.”
Gavin Reid, VP of threat intelligence at Lancope, said, “Smart attacks don't leave attack-like signatures. During each stage of the attack savvy hackers are using normal networking protocols, looking like everyone else on the network to remain undetected. The example of command and control through public forums or other websites has been around for awhile. Web traffic to a site like TechNet looks normal for most organizations and with no other indicators would avoid scrutiny."
Tim Erlin, director of product management, Tripwire, said, “Using a legitimate website to distribute malicious data is nothing new, but the addition of obfuscation here is a twist that makes detection just that much harder. Any website that allows for public comments to be submitted is already monitoring for abuse, but they can only detect what they're actually looking for. Now that this technique has been surfaced, website admins will adapt to identify it, and the criminals will have to shift again to avoid detection.”
TK Keanini, CTO, Lancope concluded: “These covert communication channels are standard for attackers... Until you can turn your network into a giant sensor grid that can perform advanced anomaly detection, these channels will operate successfully and without your detection. These are not the 'droids you are looking for type of Jedi mind tricks [are] everywhere."