Microsoft has seized 42 domains being used by a China-based cyber espionage group that was targeting government agencies, think tanks, and human rights organizations in the United States and 28 other countries. This threat activity is being attributed to a group called Nickel, which is also known as APT15, Bronze Palace, and Mirage, among others.
These domains were used as part of an infrastructure that allowed the threat actor to maintain long-term access to the compromised systems, as well as execute attacks against them with the purpose of gathering intelligence. This threat actor has been seen using techniques such as exploiting vulnerabilities in unpatched virtual private network (VPN) appliances as well as Exchange and SharePoint systems in order to get an initial foothold into a network. After gaining this foothold, they’ve been found to use common credential dumping tools and stealers, such as Mimikatz and WDigest, to compromise the organization further and install custom backdoors to steal files and emails from the victim.
Nickel has been found using multiple backdoor variants in order to establish this persistence and control; these are currently being tracked as Neoichor, Leeson, NumbIdea, NullItch, and Rokum.
Analyst Notes
While disrupting threat actors by taking down their infrastructure is always beneficial, it is important to note that this will not likely impact Nickel for long before they create new infrastructure and continue their attacks. Ensuring the proper security controls are implemented at an organization to prevent or detect the tactics used by threat actors is the best way to make sure one does not become a victim. A proper patching cycle, particularly for externally facing systems like VPN appliances, is key to preventing malicious actors from gaining a foothold into a network. Likewise, maintaining appropriate endpoint controls, such as Endpoint Detection and Response (EDR), on all systems is crucial to help detect malicious software like Mimikatz and prevent it from executing. Behavioral analysis, such as monitoring process execution chains or possible network beaconing, can also help detect any potential intrusions on a system. Binary Defense’s Managed Detection and Response service is a great asset to use for these types of detection needs.
https://thehackernews.com/2021/12/microsoft-seizes-42-malicious-web.html
https://blogs.microsoft.com/on-the-issues/2021/12/06/cyberattacks-nickel-dcu-china/
