Dozens of malicious websites were recently seized by Microsoft Threat Intelligence Center (MSTIC) that was operated by the Chinese APT group, NICKEL which targets several government and non-government organizations across Central and South America, the Caribbean, Europe, and North America.
Since 2016 Microsoft Threat Intelligence Center (MSTIC) has been tracking NICKEL, and till now NICKEL has compromised the servers of several organizations in more than 29 countries, and here is the list of targets:-
- Government organizations
- Diplomatic entities
- Non-governmental organizations (NGOs)
However, the Digital Crimes Unit (DCU) of Microsoft has recently declared that they have successfully disrupted the ongoing attacks and malicious websites of NICKEL.
On December 2 a complaint was filed after which the US District Court for the Eastern District of Virginia granted an order to Microsoft to successfully manage to execute this operation.
Countries Targeted by NICKEL
Microsoft is working hard to notify all the affected users and encourage them to immediately review their recent activities. Here’s the list of all the countries that are targeted by NICKEL:-
- Argentina
- Barbados
- Bosnia and Herzegovina
- Brazil
- Bulgaria
- Chile
- Colombia
- Croatia
- Czech Republic
- Dominican Republic
- Ecuador
- El Salvador
- France
- Guatemala
- Honduras
- Hungary
- Italy
- Jamaica
- Mali
- Mexico
- Montenegro
- Panama
- Peru
- Portugal
- Switzerland
- Trinidad and Tobago
- United Kingdom
- United States of America
- Venezuela
Here’s what the Corporate Vice President for Customer Security & Trust at Microsoft, Tom Burt stated:-
“NICKEL has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. All these attacks were largely being used for intelligence gathering from government agencies, think tanks, and human rights organizations.”
NICKEL Activity
The hackers behind NICKEL steal sensitive data and credentials from the compromised systems of users by deploying a keylogger. And to execute their operations they used the following TTPs to steal credentials from the targeted systems and browsers:-
- Mimikatz
- WDigest
- NTDSDump
- Password dumping tools
NICKEL implants have the ability to collect the following system data:-
- IP address
- OS version
- System language ID
- Computer name
- Signed-in username
While the functionalities offered by the NICKEL backdoor are:-
- Launching a process
- Uploading a file
- Downloading a file
- Executing a shellcode in memory
Recommendation & Mitigation
Microsoft has recommended users to follow the following things:-
- Implement risk mitigations
- Harden environments
- Investigate suspicious behaviors
Here are the mitigations below:-
- Block legacy authentication protocols in Azure Active Directory.
- Enable multi-factor authentication.
- Use Microsoft Authenticator to secure accounts, it’s a passwordless solution.
- Block ActiveSync clients from bypassing Conditional Access policies.
The rapid increase in such threats is frightening, that’s why the experts always recommend users to follow all the security measures properly to mitigate these types of threats.
Indicators of compromise (IOCs)
| Type | Indicator |
| SHA-256 | 02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2 |
| SHA-256 | 0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c |
| SHA-256 | 0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c |
| SHA-256 | 10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95 |
| SHA-256 | 12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21 |
| SHA-256 | 1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49 |
| SHA-256 | 22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844 |
| SHA-256 | 259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef |
| SHA-256 | 26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822 |
| SHA-256 | 35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2 |
| SHA-256 | 3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838 |
| SHA-256 | 3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65 |
| SHA-256 | 3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6 |
| SHA-256 | 3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1 |
| SHA-256 | 3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90 |
| SHA-256 | 6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b |
| SHA-256 | 6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce |
| SHA-256 | 7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0 |
| SHA-256 | 926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c |
| SHA-256 | 95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a |
| SHA-256 | a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b |
| SHA-256 | afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a |
| SHA-256 | b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124 |
| SHA-256 | c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa |
| SHA-256 | c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda |
| SHA-256 | ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94 |
| SHA-256 | ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6 |
| SHA-256 | d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce |
| SHA-256 | d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6 |
| SHA-256 | e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba |
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
