Microsoft announced this week to have removed 18 Azure Active Directory applications from its Azure portal that were created by a China-linked cyber espionage group tracked as APT group Gadolinium (aka APT40, or Leviathan).
The 18 Azure AD apps were taken down by the IT giant in April, Microsoft also published a report that includes technical details about the Gadolinium’s operation.
“Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure.” states Microsoft’s report.
GADOLINIUM abuses Microsoft cloud services as command and control infrastructure, the experts uncovered a spear-phishing campaign using messages with weaponized attachments.
The threat actor uses a multi-stage infection process and heavily leverages PowerShell payloads. In mid-April 2020, the GADOLINIUM actors launched a COVID-19 themed campaign, upon opening the messages, the target’s system would be infected with PowerShell-based malware payloads.
Once infected computers, the threat actors used the PowerShell malware to install one of the 18 Azure AD apps.
The hackers used an Azure Active Directory application to configure the victim endpoint with the permissions needed to exfiltrate data a Microsoft OneDrive storage under their control.
“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.” continues the analysis. “From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. “
Microsoft also took down a GitHub account that was used by the Gadolinium group as part of a 2018 campaign.
Microsoft’s report also includes Indicators of Compromise (IoCs) for the Gadolinium campaign.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Gadolinium)
[adrotate banner=”5″]
[adrotate banner=”13″]
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
This website uses cookies.