Microsoft launches apps from Azure which are utilized by China-sponsored hackers


Enlarge /. Computer chip with Chinese flag, conceptual 3d illustration.

Fortune 500 companies aren't the only ones flocking to cloud services like Microsoft Azure. Increasingly, hackers working on behalf of the Chinese government are also hosting their tools in the cloud, which is what concerns the people in Redmond.

Earlier this year, members of the Microsoft Threat Intelligence Center exposed 18 Azure Active Directory applications after discovering they were part of an extensive command and control network. In addition to the applications hosted in the cloud, the members of the hacking group Microsoft calls Gadolinium also saved unreceived data in a Microsoft OneDrive account and used the account to run various parts of the campaign.

Microsoft, Amazon, and other cloud providers have long promoted the speed, flexibility, and scalability that come from renting computing resources on-demand rather than using dedicated servers internally. Hackers seem to see the same benefits. Moving to the cloud can be particularly easy thanks to free test services and one-time payment accounts, so hackers can be up and running quickly without a permanent relationship or a valid payment card.

At the same time, Gadolinium has picked up on another trend in organized hacking circles – the move away from custom malware and the increased use of open source tools like PowerShell. Because the tools are so widely used for harmless and legitimate tasks, their malicious use is much harder to detect. Rather than relying on custom software to control infected devices, Gadolinium recently started using a modified version of the open source framework for re-exploiting PowerShell Empire.

In a post published on Thursday, Microsoft Threat Intelligence Center members Ben Koehl and Joe Hannon wrote:

In the past, GADOLINIUM used bespoke families of malware that analysts can identify and defend against. In response, GADOLINIUM began modifying parts of its toolchain last year to use open source toolkits to obscure its activities and make it harder for analysts to follow up. Since cloud services often offer a free trial or a PayGo (one-time payment) account, malicious actors have found ways to take advantage of these legitimate business offers. By creating free or PayGo accounts, they can use cloud-based technology to create malicious infrastructure that can be set up quickly and then shut down before detection or abandoned at low cost.

With Gadolinium's PowerShell Empire toolkit, the attack group can seamlessly load new modules through Microsoft programming interfaces. In addition, OneDrive accounts controlled by attackers can execute commands and receive the results sent between attacker and victim systems.

"This PowerShell Empire module is particularly difficult to identify for traditional SOC surveillance," the researchers write, referring to the system operations centers where security teams monitor customer networks for signs of cyberattacks. "The attacker used an Azure Active Directory application to configure a victim endpoint with the permissions required to exfiltrate data into the attacker's Microsoft OneDrive storage."

A summary view of the evolution of gadolinium attack techniques. "Src =" "width =" 640 "height =" 428 "srcset =" https: // cdn / wp-content / uploads / 2020/09 / GADOLINIUM-3-1280x856.png 2xEnlarge /. A summary of the development of gadolinium attack techniques.


Agility and scalability work both ways

While the cloud offers advantages for attackers, those advantages work both ways. Because the attacks were delivered using spear phishing emails with malicious attachments, Microsoft Defender detected, blocked, and logged them. And finally they were linked back to the infrastructure hosted in Azure.

"When these attacks were identified, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to carry out their attacks and exposed 18 Azure Active Directory applications that we identified as part of their malicious command and control infrastructure "continued the contribution from Thursday. "This action has helped to protect our customers transparently, without the need for additional work."

Microsoft said it also deleted a GitHub account, Gadolinium, used in similar attacks in 2018.

Microsoft is now releasing digital signatures and profile names that are known to have been used by Gadolinium. It enables individuals and organizations to determine whether they or customers have been victims or intended victims of hacking by the group.

"Gadolinium will no doubt evolve its tactics to achieve its goals," the post concluded. "As these threats target Microsoft customers, we will continue to create detections and implement safeguards to defend them."


Steven Gregory