Microsoft announced yesterday that it has removed 18 Azure Active Directory apps from the Azure portal, which were developed and maliciously used by Chinese hackers. According to the Microsoft threat intelligence team in a report published yesterday, the 18 Azure AD apps were removed from the Azure portal in April. The report details the recent tactics used by the group's Chinese hackers gadolinium, which is also known by the names APT40 or Leviathan.
Azure AD apps were part of the team's attacks in 2020, which Microsoft described as "extremely difficult" to detect due to the multi-stage infection process and the widespread use of PowerShell payloads.
These attacks started with spear-phishing emails targeting organizations to which malicious documents, usually files, were sent Power point, on the subject of his pandemic COVID-19. Those who opened one of these documents became infected with PowerShell-based malware payloads. At this point, the action of the malicious Azure AD apps began.
Microsoft reported that, in computers infected, Chinese Gadolinium hackers used PowerShell malware to install one of the 18 Azure AD apps. The role of these applications was to automatically configure the victim's endpoint with the rights required for expulsion data in the Microsoft repository OneDrive of the invader himself.
By removing the 18 Azure AD apps, Microsoft offset them attacks carried out by Chinese hackers, at least for a while, also forcing them to rethink and "renew" the infrastructure of their attacks.
In addition, Microsoft said it was working to remove an account GitHub used by the Gadolinium team as part of its 2018 attacks. This prevented hackers from reusing the same account for possible future attacks.
Microsoft's actions against this Chinese hacking group are not an isolated case. In recent years, Microsoft has been working hard to destroy infrastructure malware that may have been exploited by "low-level or high-level" hackers. Microsoft has in the past tried to destroy infrastructure used by other government agencies hacking groups, associated with RussiaThe Iran and North Korea.