Microsoft seizes domains used by “highly sophisticated” hackers in China

A motherboard has been retouched to include a Chinese flag.
Enlarge / Computer chip with Chinese flag, conceptual 3d illustration.

Microsoft said it has taken control of the servers that a China-based hacking group was using to compromise targets that align with that country’s geopolitical interests.

The hacking group, which Microsoft has called Nickel, has been in Microsoft’s crosshairs since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. The attacks, against government agencies, think tanks and human rights organizations in the US and 28 other countries: they were “highly sophisticated,” Microsoft said, and used a variety of techniques, including exploiting vulnerabilities in software that targets had yet to patch .

Down but not out

Late last week, Microsoft requested a court order to seize the websites that Nickel was using to compromise targets. The court, in the US District Court for the Eastern District of Virginia, granted the motion and opened the order on Monday. With control of Nickel’s infrastructure, Microsoft will now “sink” traffic, meaning it will divert from Nickel’s servers to Microsoft-operated servers, which can neutralize the threat and gain intelligence on how the group and its software are operating. .

“Gaining control of malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect current and future victims as we learn more about Nickel’s activities,” wrote Tom Burt, Corporate Vice President of Security and Confidence of the Client of the company in a blog post. “Our disruption will not prevent Nickel from continuing other hacking activities, but we believe we have removed a key piece of infrastructure that the group has been relying on for this latest wave of attacks.”

Organizations selected included those from the public and private sectors, including diplomatic entities and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. Often there was a correlation between goals and geopolitical interests in China.

The target organizations were located in other countries, including Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica , Mali. , Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom and Venezuela.

Names other security researchers use for Nickel include “KE3CHANG”, “APT15”, “Vixen Panda”, “Royal APT” and “Playful Dragon”.

10,000+ sites removed

Microsoft’s legal action last week was the 24th lawsuit the company has filed against threat actors, five of which were sponsored by the nation. The lawsuits have resulted in the removal of 10,000 malicious websites used by financially motivated hackers and nearly 600 sites used by nation-state hackers. Microsoft has also blocked the registration of 600,000 sites that the hackers had planned to use in the attacks.

In these lawsuits, Microsoft has invoked various federal laws, including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and US Trademark Law, as a way to seize the domain names used. for command and control servers. Legal action led to the 2012 seizure of infrastructure used by the Kremlin-backed Fancy Bear hacking group, as well as nation-sponsored strike groups in Iran, China and North Korea. The software maker has also resorted to lawsuits to disrupt botnets with names like Zeus, Nitol, ZeroAccess, Bamatal, and TrickBot. A legal action Microsoft took in 2014 led to the removal of more than a million legitimate servers that depend on, resulting in large numbers of law-abiding people being unable to access benign websites. Microsoft was bitterly punished for the move.

VPN, stolen credentials, and unpatched servers

In some cases, Nickel hacked targets using compromised third-party VPN providers or stolen credentials obtained through spear-phishing. In other cases, the group exploited vulnerabilities that Microsoft had patched, but victims had yet to install them on local Exchange Server or SharePoint systems. A seperation blog post Posted by Microsoft’s Threat Intelligence Center explained:

MSTIC has observed that NICKEL actors use exploits against unpatched systems to compromise remote access devices and services. Following a successful intrusion, they have used dumpers or credential stealers to obtain legitimate credentials, which they used to access victims’ accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victims’ networks for extended periods of time. MSTIC has also observed that NICKEL conducts frequent and scheduled data collection and exfiltration of victim networks.

NICKEL successfully compromises networks by attacking Internet-facing web applications running on Microsoft Exchange and SharePoint without patches. They also attack remote access infrastructure such as unpatched VPN devices, as referenced in the FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN which has since been patched.

After gaining an initial foothold in a compromised system, NICKEL actors conducted routine reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically implemented a keylogger to capture user credentials on compromised systems. We have observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker to access credentials in clear text), NTDSDump, and other password download tools to collect credentials on a target system and from browser browsers. destiny.

Nickel hackers have also used compromised credentials to log into targets’ Microsoft 365 accounts through normal logins with a browser and the legacy Exchange Web Services protocol. The activity allowed hackers to review and collect confidential emails. Microsoft has also observed Nickel successfully logging into compromised accounts through commercial VPN providers and actor-controlled infrastructure alike.

The latest blog post provides tips for protecting yourself from Nickel attacks, as well as indicators that administrators can use to determine if they have been attacked or compromised by the hacking group.

Leave a Reply

Your email address will not be published. Required fields are marked *