The Gadolinium group abused Azure AD applications to attack Microsoft Azure users.
Microsoft has removed from its Azure portal 18 Azure Active Directory applications that were developed and used by the Chinese cybercriminal group Gadolinium (also known as APT40 or Leviathan). The programs were removed in April this year.
Azure apps were used as part of a malware campaign in 2020 that Microsoft described as "particularly difficult" to detect due to the multi-stage infection process and the widespread use of PowerShell payloads.
The attacks began with targeted phishing, in which criminals sent malicious emails to organizations, usually containing COVID-19-themed PowerPoint files. As soon as the victim opened the document, malicious programs were installed on their system.
According to Microsoft, the hackers used malware on infected computers to install one of 18 Azure AD applications. The role of these applications was to automatically configure the victim's endpoint “with the permissions required to steal and send data to the attackers' Microsoft OneDrive.
In addition to removing malicious apps, Microsoft has also been working on removing the GitHub account that the same Gadolinium group used in their attacks in 2018. These actions will prevent criminals from reusing the same account for other potential attacks in the future.