Microsoft takes control of Chinese hacking group’s websites
Monday announcedthat he has taken control of several websites used by the Chinese hacking group NICKEL.
This week’s actions are the culmination of a five-year investigation by the Microsoft Threat Intelligence Center (MSTIC) into the hacker group that has targeted governments and private organizations in North America, South America. , in Europe and the Caribbean.
Meanwhile, MSTIC observed that NICKEL used exploits on unpatched vulnerabilities to gain access to targeted accounts. In a blog post, MSTIC explained how the vulnerabilities of choice included Microsoft software:
NICKEL successfully compromises networks with attacks on Internet-accessible web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructures, such as unpatched VPN appliances.
After entering a system, NICKEL would monitor the connected network and wait for the appropriate time to deploy a keylogger. After the compromised credentials were captured, the attackers would then log into the targets’ Microsoft 365 accounts to collect the emails.
After the MSTIC properly documented how this operation worked, it filed petitions with the U.S. District Court for the Eastern District of Virginia to take control of the malicious websites used by NICKEL. It has since redirected traffic to those sites to Microsoft’s own secure servers.
Tom Burt, vice president of Microsoft’s Customer Security & Trust division, said the recent withdrawal will not stop NICKEL’s global cybercrime business, but will give Microsoft and others some length. ahead of how to counter their moves.
“Taking control of malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s business,” said Burt.
in a blog post.
He also praised MSTIC’s legal approach to tackling global cybercrime networks, saying the group’s legal actions to date include 24 lawsuits that have resulted in the removal or seizure of more than 10,000 malicious websites. .
And, while the actions of companies like Microsoft are helping to mitigate the damage that rings like NICKEL can inflict, Burt says the public and private sectors need to do more to slow the rising tide of nation-state and cyber groups. -rings. “We need industry, governments, civil society and others to come together and build a new consensus on what is and is not appropriate behavior in cyberspace.”
For users who remain immune to specific NICKEL attack models, Microsoft recommends that patches be a top priority for IT. The MSTIC described other security measures, including:
- Block legacy protocols in Azure Active Directory (especially those associated with Exchange web services).
- Enabling multi-factor authentication not only for Microsoft 365 credentials, but also for all personal and corporate email accounts used.
- Monitoring and blocking of incoming traffic from anonymous sources.
- Using additional protections, such as Microsoft Authenticator, to further secure user accounts.