Microsoft has warned organisations about the use of cloud services and open source tools by a nation-state hacker group named Gadolinium to target a variety of organisations primarily in the healthcare and maritime sectors.
The software giant said in a blog post that Gadolinium, which has been targeting and compromising a number of organisations worldwide for a nearly a decade, is now using cloud services and open source tools to enhance weaponisation of its malware payload and to gain command and control all the way to the server.
In the cyber security industry, Gadolinium is known as a Chinese hacker group that enjoys state support and is known by names such as Leviathan and APT40. According to Microsoft, the hacker group uses custom-crafted malware families to target organisations and over the past year, has begun using open-source toolkits to obfuscate its activities.
In order to increase the scale and speed of its attacks, Gadolinium has been using cloud services as well as GitHub to issue new commands to victim computers. Since April this year, Gadolinium has also been sending COVID-19-themed phishing emails to targeted organisations, attaching malicious PowerPoint files that install several payloads once downloaded on a computer.
In April, Microsoft discovered and suspended as many as eighteen Azure Active Directory applications that were being used by the hacker group as part of its malicious PowerShell Empire infrastructure. While Microsoft said the move will protect end users, the hackers are expected to quickly set up new cloud applications and use new open-source tools to carry out malicious activities.
“The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems,” Microsoft said.
“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.
“From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario, no OAuth permissions consent prompts occur,” it added. The company has shared indicators of compromise (IOCs) associated with Gadolinium’s activities to enable security workers to defend against the group’s attacks. These are listed below:
Hashes from malicious document attachments
Actor-owned email addresses
Azure Active Directory App IDs associated with malicious apps