430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT

Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created by a Chinese-linked APT group Gadolinium. Microsoft announced this week to have removed 18 Azure Active Directory applications from its Azure portal that were created by a China-linked cyber espionage group tracked as APT group Gadolinium (aka APT40, or Leviathan). The 18 […]

GADOLINIUM Azure

Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created by a Chinese-linked APT group Gadolinium.

Microsoft announced this week to have removed 18 Azure Active Directory applications from its Azure portal that were created by a China-linked cyber espionage group tracked as APT group Gadolinium (aka APT40, or Leviathan).

The 18 Azure AD apps were taken down by the IT giant in April, Microsoft also published a report that includes technical details about the Gadolinium’s operation.

“Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure.” states Microsoft’s report.

GADOLINIUM abuses Microsoft cloud services as command and control infrastructure, the experts uncovered a spear-phishing campaign using messages with weaponized attachments.

The threat actor uses a multi-stage infection process and heavily leverages PowerShell payloads. In mid-April 2020, the GADOLINIUM actors launched a COVID-19 themed campaign, upon opening the messages, the target’s system would be infected with PowerShell-based malware payloads.

Once infected computers, the threat actors used the PowerShell malware to install one of the 18 Azure AD apps.

The hackers used an Azure Active Directory application to configure the victim endpoint with the permissions needed to exfiltrate data a Microsoft OneDrive storage under their control.

GADOLINIUM Azure

“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.” continues the analysis. “From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. “

Microsoft also took down a GitHub account that was used by the Gadolinium group as part of a 2018 campaign.

Microsoft’s report also includes Indicators of Compromise (IoCs) for the Gadolinium campaign.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Gadolinium)

[adrotate banner=”5″]

[adrotate banner=”13″]