Microsoft recently removed 18 apps from its Azure cloud computing platform that were being used by a hacking group as part of its command-and-control infrastructure to help launch phishing email attacks.
An advanced persistent threat group that Microsoft calls Gadolinium was using 18 Azure Active Directory applications as part of its malicious infrastructure to launch phishing emails starting earlier this year, according to Microsoft researchers. Many of these malicious messages used COVID-19-themed subject lines and attached documents to entice victims to click.
Gadolinium, which is called APT40 and Leviathan by other security researchers, has been active since at least 2014 and has primarily targeted the U.S. and Western Europe, including victims in the maritime industry, naval defense contractors and healthcare organizations, according to reports. These hackers reportedly have ties to China, according to a 2019 report published by FireEye.
In the more recent activity that Microsoft discovered, it appears that Gadolinium has shifted its focus to government agencies and higher education organizations and has changed some of its techniques to avoid detection. This appears to be one reason why the group was using Azure to host its infrastructure, the researchers say.
“The Microsoft Identity Security Team has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations,” according to the company’s report, which did not detail specific victims of these recent attacks. “As Gadolinium has evolved, [Microsoft] has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.”
The Microsoft report notes that Gadolinium originally used custom-crafted malware as part of its toolset, which allowed analysts to better track and defend against the hacking group’s attacks, according to the report.
In 2016, the Gadolinium hackers began switching tactics and started to use more open source tools, such as PowerShell Empire toolkit, as a way to obfuscate their activities, making it more difficult for researchers to track. For instance, in 2018, the hackers began hosting commands on GitHub to communicate with infected devices. These pages have also been taken down, according to the report.
The increasing use of open source tools continued through 2019 and eventually the Gadolinium hackers began abusing Azure resources as part of their attacks. Microsoft notes that various cloud offerings make it easy for threat actors to quickly establish new malicious infrastructures.
Evolution of Gadolinium attacks (Source: Microsoft)
“Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings,” Microsoft notes. “By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.”
Researchers at Texas Tech University published a paper in June that noted even legitimate hackers, such as penetration testers, routinely weaponized cloud resources as well (see: Even Ethical Hackers Abuse Cloud Services).
Microsoft began tracking Gadolinium’s latest campaign in mid-April, according to the report.
These attacks began with the hacking group sending COVID-19-themed spear-phishing emails to victims and using the Azure platform to host the PowerShell Empire malware. When a victim received a phishing email and attempted to open a malicious attachment, typically a Word or PowerPoint document, the PowerShell malware would then connect a compromised device to one of the Active Directory apps hosted in Azure, according to the report.
The Active Directory apps would then automatically configure the victim’s endpoint device with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage, according to the report.
The combined use of PowerShell and Azure would make blocking these types of attacks more difficult for security teams, according to the report. By dismantling the Azure accounts used by Gadolinium, however, Microsoft says it prevented the hackers from taking data from victims.
“Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command-and-control infrastructure,” according to the report.
Brendan O’Connor, CEO and co-founder of security firm AppOmni, notes that as companies move data and resources to the cloud, nation-state hackers and cybercriminals are quickly following in those footsteps.
“In recent times, the movement of sensitive data to the cloud has presented a new and better target for many bad actors,” O’Connor tells Information Security Media Group. “Stealing computing resources often doesn’t make the headline compared to the theft of mass data. However, as more organizations move to the cloud requiring more and more computing resources, the attacks to take over these resources will continue to persist.”
Managing Editor Scott Ferguson contributed to this report