Microsoft Seizes Control of Chinese Hacking Group Web Sites
Microsoft on Monday announced that it has seized control of multiple Web sites used by the Chinese hacking group NICKEL.
This week's actions is a culmination of a five-year investigation by the Microsoft Threat Intelligence Center (MSTIC) into the hacker group that has targeted governments and private organizations in North America, South America, Europe and the Caribbean.
During that time, MSTIC observed NICKEL using exploits on unpatched vulnerabilities to gain access to targeted accounts. Per a blog post, MSTIC outlined how the vulnerabilities of choice included Microsoft software:
NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances.
After entry into a system, NICKEL would monitor the connected network and wait for an opportune time to deploy a key logger. Once the compromised credentials were captured, attackers would then sign into targets' Microsoft 365 accounts to collect e-mails.
Once MSTIC had properly documented how this operation functioned, it filed pleadings with the U.S. District Court for the Eastern District of Virginia for it to take control of the malicious Web sites used by NICKEL. It has since redirected traffic to those sites to Microsoft's own secure servers.
Tom Burt, Microsoft's corporate vice president of Customer Security & Trust, said that the recent takedown won't stop NICKEL's global cybercrime activities, but it will give Microsoft and others a leg up on how to counter their moves.
"Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft's secure servers will help us protect existing and future victims while learning more about Nickel's activities," said Burt in a blog post.
He also commended MSTIC's legal approach to combating global cybercrime rings, saying the group's legal actions to date include 24 lawsuits that have been successful in the takedown or seizure of more than 10,000 malicious Web sites.
And, while the actions of companies like Microsoft do help to mitigate the damage that rings like NICKEL can inflict, Burt says that more must be done by both the public and private sector to slow the rising tide of nation-state and cyber ring groups. "We need industry, governments, civil society and others to come together and establish a new consensus for what is and isn't appropriate behavior in cyberspace."
As for users staying safe against the specific attack patterns of NICKEL, Microsoft recommends that patching be a top priority for IT. MSTIC has outlined further security steps, including:
- Blocking legacy protocols in Azure Active Directory (specifically those associated with Exchange Web Services).
- Enabling multifactor authentication for not only Microsoft 365 credentials, but any personal and corporate e-mail accounts used.
- Monitoring and blocking incoming traffic from anonymous sources.
- Using additional safeguards, like Microsoft Authenticator, to further secure user accounts.