Knowledge base

September 27, 2020

Microsoft has removed 18 Azure Active Directory applications from its Azure portal created by a China-linked APT group, Gadolinium.

Microsoft announced this week that it has removed 18 Azure Active Directory applications from its Azure portal created by a China-linked cyber espionage group that is tracked as APT group Gadolinium (also known as APT40 or Leviathan).

The 18 Azure AD apps were removed by the IT giant in April, Microsoft also published a report detailing the operation of Gadolinium.

“Microsoft has taken proactive steps to prevent attackers from using our cloud infrastructure to carry out their attacks and suspended 18 Azure Active Directory applications that we have determined to be part of their malicious command & control infrastructure.” the Microsoft report states.

Looking for an Office 365 specialist?

GADOLINIUM abuses Microsoft cloud services

as a command and control infrastructure, the experts discovered a spear-phishing campaign with messages with armed attachments.

The threat actor uses a multi-stage infection process and makes strong use of PowerShell payloads. In mid-April 2020, the GADOLINIUM actors launched a COVID-19-themed campaign, and upon opening the messages, the target’s system would be infected with PowerShell-based malware loads.

Once the computers were infected, the threat actors used the PowerShell malware to install one of the 18 Azure AD apps.

The hackers used an Azure Active Directory application to configure the victim’s endpoint with the necessary permissions to exfiltrate data into a Microsoft OneDrive storage under their control.

“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim’s endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. ” continues the analysis. ” From the endpoint or network monitoring point of view, the activity initially appears to be related to trusted applications that use trusted APIs for cloud services, and in this scenario there are no permission srompts for OAuth permissions. “

Microsoft also removed a GitHub account used by the Gadolinium Group as part of a 2018 campaign.

Microsoft’s report also includes Indicators of Compromise (IoCs) for the Gadolinium campaign.

Source: bleeping computer

Microsoft Teams: All the new features you need to know.

Want to know more?

Get in touch

Related
blogs

View all blogs
Ontdek de Kracht van Microsoft Purview Data Governance
September 24, 2024

Discover the Power of Microsoft Purview Data Governance

Read more
Nieuwe Stemfunctie in Microsoft Teams: Efficiënter Vergaderen
September 23, 2024

New Voice feature in Microsoft Teams: More Efficient Meetings

Read more
OneDrive voegt gekleurde mappen toe aan Windows 11
September 22, 2024

New OneDrive Feature: Colored Folders in Windows 11 Explorer 🎨

Read more
Zero Trust E-mailbeveiliging
September 21, 2024

ALTA-ICT’s Zero Trust Email Security ✉️

Read more
Einde van Ondersteuning voor TLS 1.0 en 1.1
September 20, 2024

End of Support for TLS 1.0 and 1.1

Read more
September 19, 2024

Considerations for workplace management via Microsoft Intune

Read more
Microsoft 365 Copilot
September 18, 2024

New Copilot AI features make Microsoft Office apps even more convenient

Read more
Microsoft’s Copilot Pages
September 17, 2024

Copilot Pages: AI-driven Collaboration in Microsoft 365

Read more
Google Workspace en Microsoft 365
September 16, 2024

Google Workspace vs. Microsoft 365: Which one fits your organization best?

Read more
Google Workspace vereist OAuth
September 15, 2024

Deadline approaches: Google Workspace requires OAuth by Sept. 30

Read more

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Weekly in Your Mailbox.