Microsoft removed 18 Azure AD apps used by Chinese state-sponsored hacker group

Microsoft stated in the present day that it eliminated 18 Azure Energetic Listing functions from its Azure portal that had been created and abused by a Chinese language state-sponsored hacker group.

The 18 Azure AD apps had been taken down from the Azure portal earlier this 12 months in April, the Microsoft menace intelligence staff stated in a report revealed in the present day.

The report described the current techniques utilized by a Chinese language hacker group generally known as Gadolinium (aka APT40, or Leviathan).

The Azure apps had been a part of the group’s 2020 assault routine, which Microsoft described as “significantly difficult” to detect because of its multi-stage an infection course of and the broad use of PowerShell payloads.

These assaults started with spear-phishing emails aimed on the goal organizations, carrying malicious paperwork, normally PowerPoint information with a COVID-19 theme.

Victims who opened one among these paperwork could be contaminated with PowerShell-based malware payloads. Right here is the place the malicious Azure AD apps would additionally come into play.

On contaminated computer systems, Microsoft stated the Gadolinium hackers used the PowerShell malware to put in one of many 18 Azure AD apps. The position of those apps was to robotically configure the sufferer’s endpoint “with the permissions wanted to exfiltrate information to the attacker’s personal Microsoft OneDrive storage.”

By eradicating the 18 Azure AD apps, Microsoft crippled the Chinese language hacker group’s assaults, at the least for a short time, however it additionally compelled the hackers to re-think and re-tool their assault infrastructure.

As well as, Microsoft stated it additionally labored to take down a GitHub account that the identical Gadolinium group had used as a part of its 2018 assaults. This motion could not have had an influence on new operations, however it did stop the hackers from reusing the identical account for different assaults sooner or later.

Microsoft’s actions towards this Chinese language hacker group aren’t an remoted case. Over the previous few years, Microsoft has persistently intervened to take down malware infrastructure, could it have been utilized by low-level cybercrime operators or by high-end state-sponsored hacker teams.

In earlier interventions, Microsoft additionally focused the infrastructure utilized by different nation-state teams, tied to Iranian, North Korean, and Russian cyber-operations.