Knowledge base

September 27, 2020

Microsoft has removed 18 Azure Active Directory applications from its Azure portal created by a China-linked APT group, Gadolinium.

Microsoft announced this week that it has removed 18 Azure Active Directory applications from its Azure portal created by a China-linked cyber espionage group that is tracked as APT group Gadolinium (also known as APT40 or Leviathan).

The 18 Azure AD apps were removed by the IT giant in April, Microsoft also published a report detailing the operation of Gadolinium.

“Microsoft has taken proactive steps to prevent attackers from using our cloud infrastructure to carry out their attacks and suspended 18 Azure Active Directory applications that we have determined to be part of their malicious command & control infrastructure.” the Microsoft report states.

GADOLINIUM abuses Microsoft cloud services

as a command and control infrastructure, the experts discovered a spear-phishing campaign with messages with armed attachments.

The threat actor uses a multi-stage infection process and makes strong use of PowerShell payloads. In mid-April 2020, the GADOLINIUM actors launched a COVID-19-themed campaign, and upon opening the messages, the target’s system would be infected with PowerShell-based malware loads.

Once the computers were infected, the threat actors used the PowerShell malware to install one of the 18 Azure AD apps.

The hackers used an Azure Active Directory application to configure the victim’s endpoint with the necessary permissions to exfiltrate data into a Microsoft OneDrive storage under their control.

“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim’s endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. ” continues the analysis. ” From the endpoint or network monitoring point of view, the activity initially appears to be related to trusted applications that use trusted APIs for cloud services, and in this scenario there are no permission srompts for OAuth permissions. “

Microsoft also removed a GitHub account used by the Gadolinium Group as part of a 2018 campaign.

Microsoft’s report also includes Indicators of Compromise (IoCs) for the Gadolinium campaign.

Source: bleeping computer

Want to know more?

Get in touch

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Weekly in Your Mailbox.