China-based group using new tactic to plant backdoors: FireEye
By A. Asohan May 15, 2015
- Sophisticated cyber-espionage disguise makes it harder to detect and shut down
- SEA entities, including governments, not specifically targeted but still at risk
SECURITY specialist FireEye Inc and technology giant Microsoft Corp have revealed details of a China-based threat group which has been embedding hidden code in public websites and online forums to plant backdoors on their targets.
In late 2014, FireEye Threat Intelligence and the Microsoft Threat Intelligence Centre discovered a new command-and-control (C&C) obfuscation tactic being used by APT17, a China-based advanced persistent threat (APT) group.
APT17, also known as Deputy Dog, has been using a backdoor known as Blackcoffee since 2013, and has conducted network intrusions against a variety of targets, including the US Government, as well as the defence industry, law firms, and information technology companies around the world.
A variant of Blackcoffee was disguising its C&C servers by encoding data onto Microsoft’s TechNet web portal, the Redmond, Washington-based company’s web resource for IT professionals, FireEye told Digital News Asia (DNA) in a statement.
Encoding the IP (Internet Protocol) address on Microsoft TechNet makes it more difficult for network security professionals to identify the true C&C address.
APT17’s use of Blackcoffee demonstrates threat actors’ evolving use of public websites to hide in plain sight. In the past, threat actors would modify easily compromised websites to host C&C commands and configuration, FireEye said.
Now, threat actors are using well-known websites – which they do not need to compromise – to host C&C IP addresses, FireEye said in its Hiding in Plain Sight report.
This is the latest in a trend that has seen attack groups getting more sophisticated and much better at covering their tracks, which makes them harder to shut down, noted a FireEye spokesman.
The longer it takes to detect and shut down such threats also gives such groups more time to exfiltrate data, he told DNA.
Worryingly, the new report comes in the wake of another FireEye report in April that detailed an on-going and long-running cyber-espionage operation that has targeted multiple organisations in Asean countries, including Malaysia.
That operation was conducted by yet another China-based group which FireEye identified as APT30, which seemed particularly interested in ministerial meetings of the Association of South-East Asian Nations (Asean).
Despite’s FireEye’s revelations, Malaysia’s national cybersecurity agency CyberSecurity Malaysia said it was not investigating the matter because it had not received any complaints.
In October 2013, various media outlets reported that according to top secret documents leaked by intelligence whistleblower Edward Snowden, the United States was running a monitoring station in its Kuala Lumpur embassy to tap telephones and monitor communications networks.
No real action was taken then either.
Asean’s security posture
Given Asean governments’ rather lackadaisical attitude towards such cyber-espionage activities, are organisations in the region at risk?
When asked if any of APT17’s targets came from South-East Asia, FireEye’s Asia Pacific chief technology officer Bryce Boland (pic) said that even if there weren’t any targeted specifically by this group, they could be vulnerable to others.
“Every organisation in South-East Asia connected to the Internet today is at risk of cyber-attacks. Even if they have not been targeted by this particular group, they are likely a target for one of the hundreds of others we track.
“We find most organisations underestimate the value of their information. Groups are after much more than credit card data and personal information. State-sponsored groups are gathering intelligence as well,” he told DNA via email.
Boland stressed that FireEye’s report on the APT30 group revealed a cyber-espionage campaign that had targeted South-East Asia businesses and governments and which operated for a decade without making significant changes to its tools or infrastructure.
“It’s highly unusual to see threat groups this way. Typically they change after being detected, so we believe this cyber-espionage campaign went largely undetected until the recent APT30 report.
“This suggests many organisations in South-East Asia aren’t able to detect these attacks,” he said.
“These threat groups present a challenge for governments and the private sector alike. We work with organisations in the region to help them improve their detection capabilities.
“Globally, we find 97% of all organisations where we trial security deployments are breached, and 27% of these organisations have experienced events consistent with the tools and tactics of advanced persistent threat actors,” he added.
Asked what steps potential targets need to take to protect themselves, Boland told DNA that the most fundamental issue in cyber-security today is that advanced attacks cannot be detected by legacy security technologies.
“Organisations in South-East Asia should embrace new security technologies which can detect these sophisticated, targeted attacks. Any organisation relying on legacy approaches is not able to detect these attacks.
“Once an organisation can detect these attacks, it needs to respond as quickly as possible and understand everything the attacker did.
“Only by building this complete understanding can organisations avoid being sucker-punched in cyberspace,” he added.
How Blackcoffee works
In its investigation, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes. This collaborative approach allowed the team to observe the malware and its victims.
According to the FireEye-Microsoft report, the newly-discovered Blackcoffee variant contains one or more URLs (universal resource locators or web addresses) that link to the biography sections of attacker-created TechNet profiles, as well as forum threads that contain comments from those same profiles.
A URL is randomly selected and the malware searches at that location for an encoded IP address located between two tags, ‘@MICR0S0FT’ and ‘C0RP0RATI0N.’
The malware then communicates directly with the retrieved and decoded IP address to receive commands and send stolen information. If the C&C server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.
“We have already observed threat actors adopting similar techniques and moving some C&C activity to legitimate websites that they do not need to compromise,” FireEye said in its report.
“In the same vein, some threat actors have already begun using social media sites such as Twitter and Facebook for malware distribution and C&C.
“APT17’s tactic – using a dead drop resolver and embedding encoded IP addresses as opposed to displaying it in plain text – can delay detection, discourage IT staff from discovering the actual C&C IP address, and prevent discovery of the C&C IP via binary analysis.
“FireEye expects that threat groups are already using this technique, with their own unique variations, and others will adopt similar measures to hide in plain sight,” the report said.
FireEye has listed indicators of compromise on Github at: https://github.com/fireeye/iocs.
State-sponsored group that spied on Malaysia for 10 years
US spying, and casting the first stone
How the PRISM surveillance scandal affects Asia
Journalists, activists and politicians targeted by spyware: Kaspersky Lab
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.