reader comments
24 with 16 posters participating
Microsoft said it has seized control of servers that a China-based hacking group was using to compromise targets that align with that country’s geopolitical interests.
The hacking group, which Microsoft has dubbed Nickel, has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. The attacks—against government agencies, think tanks, and human rights organizations in the US and 28 other countries—were “highly sophisticated,” Microsoft said, and used a variety of techniques, including exploiting vulnerabilities in software that targets had yet to patch
Down but not out
Late last week, Microsoft sought a court order to seize websites Nickel was using to compromise targets. The court, in the US District of Court for the Eastern District of Virginia, granted the motion and unsealed the order on Monday. With control of Nickel’s infrastructure, Microsoft will now “sinkhole” the traffic, meaning it’s diverted away from Nickel’s servers and to Microsoft-operated servers, which can neutralize the threat and obtain intelligence about how the group and its software work.
“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Tom Burt, the company’s corporate vice president of Customer Security & Trust wrote in a blog post. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
Fancy Bear hacking group as well as nation-sponsored attack groups in Iran, China, and North Korea. The software maker has also used lawsuits to disrupt botnets with names such as Zeus, Nitol, ZeroAccess, Bamatal, and TrickBot. A legal action Microsoft took in 2014 led to the takedown of more than a million legitimate servers that rely on No-IP.com, resulting in large numbers of law-abiding people being unable to reach benign websites. Microsoft was bitterly castigated for the move.
VPNs, stolen credentials, and unpatched servers
In some cases, Nickel hacked targets using compromised third-party VPN suppliers or stolen credentials obtained through spear-phishing. In other cases, the group exploited vulnerabilities Microsoft had patched but victims had yet to install in on-premises Exchange Server or SharePoint systems. A separate blog post published by Microsoft’s Threat Intelligence Center explained:
FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN that has since been patched.
After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. We’ve observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials in clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.
Nickel hackers have also used compromised credentials to sign into targets’ Microsoft 365 accounts through normal logins with a browser and the legacy Exchange Web Services protocol. The activity allowed the hackers to review and collect sensitive emails. Microsoft has also observed Nickel successfully signing in to compromised accounts through commercial VPN providers and actor-controlled infrastructure alike.
The latter blog post provides suggestions for warding off attacks from Nickel as well as indicators admins can use to determine if they have been targeted or compromised by the hacking group.
