Microsoft Seizes Domains Used by a Chinese Hacking Group

DMCA / Correction Notice
- Advertisement -

Microsoft said has seized control of servers that a China-based hacking group was using to compromise targets aligned with that country’s geopolitical interests.

The hacking group, dubbed Nickel by Microsoft, has been under Microsoft’s eye since at least 2016, and the software company has been tracking a now-disrupted intelligence-gathering campaign since 2019. The attacks—against government agencies, think tanks and human rights organizations in the US and 28 other countries, Microsoft said, were “highly sophisticated”, and used a variety of techniques, including exploiting vulnerabilities in software that were targeted. Had to patch yet.

down but not out

Late last week, Microsoft sought a court order to confiscate websites that Nickel was using to compromise targets. The US District Court for the Eastern District of Virginia on Monday approved the motion and set aside the order. With Nickel’s infrastructure in control, Microsoft will now “sinkhole” traffic, meaning it is diverted from Nickel’s servers and servers operated by Microsoft, which can neutralize the threat and inform Microsoft about it. Allows access to intelligence about how the group and its software operate.

“Getting control of malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” said the company’s Customer Safety and Trust. Tom Burtt, Corporate Vice President of blog post, “Our disruption will not prevent Nickel from continuing with other hacking activities, but we believe we have removed a critical piece of infrastructure the group is relying on for this latest wave of attacks.”

- Advertisement -

Targeted organizations included both the private and public sectors, including diplomatic entities in North America, Central America, South America, the Caribbean, Europe and Africa, and ministries of foreign affairs. Often, there was a link between goals and geopolitical interests in China.

Targeted organizations were located in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, among other countries . , Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom and Venezuela.

Other security researchers used for nickel include KE3CHANG, APT15, Vixen Panda, Royal APT and Playful Dragon.

More than 10,000 sites down

Microsoft’s legal action last week was the 24th lawsuit the company filed against threat actors, five of whom were nation-sponsored. The lawsuits have resulted in the removal of 10,000 malicious websites used by financially motivated hackers and about 600 sites used by nation-state hackers. Microsoft also blocked the registration of 600,000 sites that the hackers planned to use in the attacks.

In these lawsuits, Microsoft invoked various federal laws—including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and U.S. trademark law—as a way to confiscate the domain names used for command-and-control servers. Is. Kremlin-backed . Legal actions led to the seizure in 2012 of infrastructure used by Fancy Bear Hacking Group As well as nation-sponsored attack groups in Iran, China and North Korea. The software maker has also used lawsuits to disrupt botnets that go by names like zeus, nitol, zero access, Bamatal, And trickboat,

A legal action by Microsoft in 2014 led to the removal of more than a million legitimate servers relying on, leaving large numbers of law-abiding people unable to access benign websites. Microsoft was bitter scolding to move.

VPN, Stolen Credentials and Unprivileged Servers

In some cases, Nickel hacked targets using compromised third-party VPN suppliers or stolen credentials obtained through spear-phishing. In other cases, the group took advantage of vulnerabilities that Microsoft had fixed but the victims had yet to install in on-premises Exchange Server or SharePoint systems. Separate blog post Published by Microsoft’s Threat Intelligence Center explained:

MSTIC has seen nickel actors use exploits against unprivileged systems to compromise remote access services and equipment. Upon successful infiltration, they have used credential dumpers or stealers to obtain valid credentials, which they used to gain access to victim accounts. Nickel actors created and deployed custom malware that allowed them to maintain persistence on the victim’s network over an extended period of time. MSTIC has also observed that Nickel performs frequent and scheduled data collection and exfiltration from the victim network.

Nickel successfully compromises networks using attacks on Internet-facing Web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unprivileged VPN equipment, as referred to in FireEye April 2021 Blog detailing the 0-day vulnerability in Pulse Secure VPN which has since been patched,

After gaining an initial foothold on a compromised system, nickel actors regularly performed reconnaissance over the network, working to gain access to additional accounts or higher-value systems. Nickel typically deploys a keylogger to obtain credentials from users on compromised systems. We’ve seen Nickel using Mimikatz, WDigest (an older authentication method that allows an attacker access to credentials in clear text), NTDSDump, and other password dumping tools to collect credentials from the target system and from the target browser .

Nickel hackers have also used compromised credentials to sign into targets’ Microsoft 365 accounts via normal login with a browser and legacy Exchange Web Services protocol. The activity allowed hackers to review and collect sensitive emails. Microsoft has also seen Nickel successfully signing compromised accounts through commercial VPN providers and actor-controlled infrastructure.

The latter blog post provides tips for preventing attacks from nickel as well as indicators administrators can use to determine whether they have been targeted or compromised by a hacking group.

This story originally appeared on Ars Technica,

  • The latest on tech, science and more: Receive our newsletter!
  • Yahya Abdul-Mateen II is ready to blow your mind
  • A New Twist in the McDonald’s Ice Cream Machine Hacking Saga
  • Wish List 2021: Gifts for all the best people in your life
  • Most efficient way to debug simulation
  • What is the Metaverse, Exactly?
  • ️ Explore AI like never before with our new database
  • From robotic vacuums to affordable mattresses to smart speakers, customize your home life with the best picks from our Gear team


- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories