Microsoft Azure blocks Gadolinium attacks

Microsoft has suspended 18 Azure Active Directory applications on its Cloud infrastructure that were being used by a Chinese nation-state actor to execute their attacks.
Microsoft Threat Intelligence Center
The cloud major said the apps were part of the malicious command and control infrastructure by Gadolinium – China-based nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries.

Microsoft said Gadolinium tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods, according to Ben Koehl from Microsoft Threat Intelligence Centre (MSTIC).

Gadolinium uses cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection.

“These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel,” Microsoft said.

Recently, Microsoft observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations, IANS reported.

“Gadolinium has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years,” the tech giant said in a blog post on 24 September.

Two of the most recent attack chains in 2019 and 2020 were delivered from Gadolinium using similar tactics and techniques.

Gadolinium used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands to potentially exfiltrate data.

In mid-April 2020, Gadolinium actors were detected sending spear-phishing emails with malicious attachments.

The filenames of these attachments were named to appeal to the target’s interest in the Covid-19 pandemic.

The Gadolinium uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.

“Gadolinium will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them,” Microsoft said.