Microsoft has suspended 18 Active Directory apps used by hackers for malicious command and control infrastructure.

As many Azure customers have moved to cloud-based network infrastructure, the hackers who attack them have followed suit. Chinese government-backed hackers who exploit Microsoft Azure systems have now started hosting their own tools in the cloud.

Microsoft has been busy chasing this hacker group. Recently, the Microsoft Threat Intelligence Center (MSTIC) has observed the evolution of attacker techniques by an actor they call Gadolinium, according to MSTIC members Ben Koehl and Joe Hannon in a recent blog post.

According to the MSTIC post, the group are “using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection.”

A game of cat and mouse

Gadolinium attacks were delivered via spear-phishing emails which were able to be detected using Azure Sentinel.

The MSTIC post continues: “As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure.”

The hackers move to open source

The Gadolinium hackers also adopted another industry trend: the move towards open-source tools such as PowerShell. Open-source software is widely used throughout the sector for legitimate aims, which means that the hackers are able to “hide in plain sight” by using these tools. According to Microsoft, gadolinium has recently begun using a modified version of the open-source PowerShell Empire framework.

A rapid and consequential response from Microsoft

Upon learning of gadolinium’s PowerShell activities, MSTIC took decisive countermeasures. In April 2020, the MSTIC team suspended the 18 Azure Active Directory applications that they knew were being exploited the hackers. Microsoft also suspended a GitHub account which the hackers used in similar attacks two years ago.

Microsoft has released digital signatures and profile names used by Gadolinium. This will allow individuals and organizations to determine if they or their customers were targeted by the hacking group.