Microsoft removes 18 Azure Active Directory apps after being abused by Chinese hackers

Microsoft said Gadolinium (aka APT40 or Leviathan) was a Chinese government hacker community that developed and used 18 Azure Active Directory applications to target Microsoft Azure customers. In April of this year, all the applications found were deleted from the Azure portal.

The new grouping strategies that malicious Azure Active Directory applications are part of are illustrated in a recent Microsoft paper. Due to the multi-stage infection phase and the use of PowerShell payloads, experts describe these attacks as “highly hard to detect.”

To mount one of 18 Azure Active Directory applications on the victim’s machines, the aforementioned PowerShell malware was used. The function of these apps was to customize the endpoint of the victim automatically such that attackers had the privileges they required to grab data and upload it to OneDrive.

Microsoft experts write that they at least momentarily prevented the attacks of the Chinese community by deleting these 18 apps and pressured the hackers to revisit and restore their systems by deleting them. Microsoft also claimed it had recently obtained the deletion of the GitHub account used in their 2018 ransomware campaigns by Gadolinium donors. This was unlikely to have a strong impact on APT40 activities, but for numerous threats, it also discouraged hackers from reusing the same password.