FireEye Threat Intelligence and Microsoft Threat Intelligence Center have reported how a Chinese hacking group, APT (advanced persistent threat) 17, used Microsoft’s IT support TechNet blog for its Command-and-Control (CnC) operation. The hacking group has already accrued some degree of infamy after reportedly hacking Asian companies and governments for a number of years, as well as U.S government agencies, defense contractors and law firms, according to reports.

FireEye wrote in a blog post about what the security vendor called a ‘hide in plain sight’ hack on TechNet’s very popular support forums, explaining, “Interestingly, APT17 chose not to compromise TechNet, but rather created profiles and posted in forums to post its encoded CnC. Doing so made it more difficult for network security professionals to determine the CnC’s true location, which allowed APT17 to conduct its activities for longer than it might have otherwise.”

The group, who go by the name of DeputyDog, would target someone working in a company by sending them an email containing malicious malware, which then could be triggered remotely from an account on TechNet in the form of a grammatically flawed, spammy comment containing an encoded domain. Once infected APT17 (using software called Blackcoffee) might then take over a machine from a command control server, downloading files, ending processes, making certain demands.

FireEye reported that attacking popular sites such as TechNet, sites that are frequently populated by IT professionals, is quite common. Because the site is not wholly compromised it makes detecting the malicious intent difficult.

In a report FireEye said, “This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down.” Worryingly, this kind of cyber espionage, said FireEye, is going to become even more common, and although Microsoft worked with FireEye on the recent attack the security vendor said that companies have not made the issue very public. In one report Bryce Boland, FireEye’s APAC CTO, goes as far as to say that new technology is needed to address such sophisticated attacks. He added  companies are not only responsible for managing their networks, but social networks should be wary about comments. Boland continued to ask if readers of spammy looking content on forums ever thought that they could be looking at a possible attack? Watch out for bad grammar folks!

Photo credit: Dennis Skley via photopin cc