Microsoft suspends 18 Azure accounts tied to China-based hackers - San Francisco News
by IANS
Updated Sep 26, 2020
The apps were part of the malicious command and control infrastructure by Gadolinium China-based nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries.
As with most threat groups, Gadolinium tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods, according to Ben Koehl from Microsoft Threat Intelligence Centre (MSTIC).
Gadolinium uses cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection.
"These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel," Microsoft said.
Recently, Microsoft observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organisations.
"Gadolinium has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years," the tech giant said in a blog post this week.
Two of the most recent attack chains in 2019 and 2020 were delivered from Gadolinium using similar tactics and techniques.
Gadolinium used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands to potentially exfiltrate data.
In mid-April 2020, Gadolinium actors were detected sending spear-phishing emails with malicious attachments.
The filenames of these attachments were named to appeal to the target's interest in the Covid-19 pandemic.
The Gadolinium uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker's own Microsoft OneDrive storage.
"Gadolinium will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them," Microsoft said.
Related Articles
- Optical Illusion Brain Test: If you have Sharp Eyes Find the Number 442 in 20 Secs
- London-based firm Nothing to release its Phone (2)
- Covid will continue to cause mini-waves, not become seasonal yet: Scientists
- Hackers offering crypto accounts for as low as $30 on darknet
- Reddit's new feature to allow users to share its content on other platforms
- Surgical masks can help kids fight respiratory infections: Study
- LinkedIn's new AI feature to write messages to hiring team
- Microsoft introduces Xbox Game Pass' new Friend Referral programme
- Disbursed over Rs 31 cr in claims to delivery partners in FY22-23: Swiggy
- India emerging as favourable destination for clinical trials: Report