Hillicon Valley — Presented by Connected Commerce Council — Microsoft disrupts Chinese hacking effort

Today is Monday. Welcome to Hillicon Valley, detailing all you need to know about tech and cyber news from Capitol Hill to Silicon Valley. Subscribe here:

Follow The Hill’s cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.

Microsoft hit the ground running at the top of a new work week, announcing that it had disrupted a Chinese hacking group that had targeted organizations in almost 30 countries, including the United States, with a focus on human rights groups and think tanks, among others.

Meanwhile, a new analysis found that the Russian hackers behind last year’s SolarWinds hack haven’t slowed down their efforts, and the planned merger of former President Trump’s new media company and another group is under investigation.

Let’s jump into the news.

Microsoft moves to block Chinese hackers

Microsoft on Monday announced that a federal court had granted a request to allow it to seize websites being used by a Chinese-based hacking group that was targeting organizations in the United States and 28 other nations.

International focus: The hacking group, which Microsoft has dubbed “Nickel,” was observed to be targeting think tanks, human rights organizations, government agencies and diplomatic organizations for intelligence gathering purposes.

The court order unsealed Monday in the Eastern District of Virginia allowed the Microsoft Digital Crimes Unit to take control of the websites used by Nickel and redirect the traffic to Microsoft servers. Customers impacted by the hacking efforts have been notified.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Tom Burt, the corporate vice president of Customer Security and Trust at Microsoft, wrote in a blog post published Monday.

“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Burt…


Microsoft Seizes 42 Websites From a Chinese Hacking Group

Microsoft said on Monday that it had seized 42 websites from a Chinese hacking group in an effort to disrupt the group’s intelligence-gathering operations.

The company said in a news release that a federal court in Virginia had granted Microsoft’s request to allow its Digital Crimes Unit to take over the U.S.-based websites, which were being run by a hacker group known as Nickel or APT15. The company is redirecting the websites’ traffic to secure Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s activities.”

Microsoft said it has been tracking Nickel since 2016 and had found that its “highly sophisticated” attacks intended to install unobtrusive malware that allowed for surveillance and data theft.

In this most recent case, Nickel was attacking organizations in 29 different countries and was believed to be using the information it collected “for intelligence gathering from government agencies, think tanks, universities and human rights organizations,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, said in the news release. Microsoft did not name the organizations that had been targeted.

The company said it had not discovered any new vulnerabilities in Microsoft products related to the attacks.

“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Mr. Burt said.

Microsoft said it had found that the group often targeted regions in which China has a geopolitical interest. Nickel has targeted diplomatic organizations and foreign affairs ministries in the Western Hemisphere, Europe and Africa, among other groups, the company said.

The company said its Digital Crimes Unit, through 24 lawsuits, had taken down more than 10,000 malicious websites used by cybercriminals and almost 600 used by nation-state actors, and had blocked the registration of 600,000 more.

U.S. cybersecurity agencies have warned that Chinese hacking presents a “major threat” to the United States and its allies.


Mobile World Congress 2012 – Mobile Security Forum – Embrace is the right approach for BYOD

BabaDeda is out. RATDispenser is out in the wild. Phishng in Farsi. Microsoft bug proofs-of-concept. Apple sues NSO Group.

Attacks, Threats, and Vulnerabilities

New PowerShortShell Stealer Exploits Recent Microsoft MSHTML Vulnerability to Spy on Farsi Speakers (Safebreach) SafeBreach Labs discovered a new Iranian threat actor using a Microsoft MSHTML Remote Code Execution (RCE) exploit for infecting Farsi-speaking victims with a new PowerShell stealer.

The BABADEDA Crypter – an Emerging Crypter targeting the Crypto, NFT, and DeFi communities (Morphisec) Morphisec Labs encountered a new malware called Babadeda targeting cryptocurrency enthusiasts through Discord. We reveal how it can be stopped.

RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild (HP Wolf Security) With a 11% detection rate, RATDispenser appears to be effective at evading security controls and delivering malware.

New JavaScript malware works as a “RAT dispenser” (The Record by Recorded Future) Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy much dangerous remote access trojans (RATs).

PoC Exploit Published for Latest Microsoft Exchange Zero-Day (SecurityWeek) Proof-of-concept exploit code released for code execution flaw affecting on-prem Exchange 2016 and 2019 installations.

Exchange Server admins advised to patch vulnerable machines after POC exploit released for high-severity bug (Computing) Microsoft has described the flaw as having a high impact on data integrity, confidentiality and availability

New Security Shock For Millions Of Windows 10, 11 And Server Users (Forbes) A failed November Patch Tuesday fix could leave millions of Windows 10, Windows 11 and Windows Server users at risk of system takeover.

New Windows zero-day with public exploit lets you become an admin (BleepingComputer) A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server.

Serious Vulnerability Found in Imunify360 Web Server Security Product (SecurityWeek) A vulnerability in the Imunify360 security suite for web servers can be exploited for remote code execution using specially crafted files.