Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/29/2020
10:30 AM
50%
50%

State-Sponsored Hacking Groups Increasingly Use Cloud & Open Source Infrastructure

Microsoft shuts down Azure Active Directory instances used by attackers to evade detection and warns that the use of open source tools by espionage groups is growing.

Espionage groups increasingly use cloud-based services and open source tools to create their infrastructure for gathering data and cyberattacks, attempting to hide their activities in the massive quantity of services and resources used by legitimate organizations. 

Last week, Microsoft suspended 18 Azure Active Directory "applications" that the company identified as a component of a Chinese espionage group's command-and-control channel. Dubbed GADOLINIUM by Microsoft, the cyberattack group has adopted a combination of cloud infrastructure, which can be quickly reconstituted in the event of a takedown, and open source tools, which can help attackers' actions blend into more legitimate activity.

Related Content:

Stealing Data by 'Living off the Land'

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: RASP 101: Staying Safe With Runtime Application Self-Protection

The group is not the only state-sponsored group to increasingly employ cloud infrastructure and open source tools, according to Microsoft Threat Intelligence Center (MSTIC).

"MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years ... an attempt to make discovery and attribution more difficult," Microsoft stated in a blog post. "The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost."

GADOLINIUM — also known as APT40, Kryptonite Panda, and Leviathan — has focused on stealing maritime information and associated research from universities to advance China's expansion of its navy, according to an analysis by cybersecurity services firm FireEye. While the espionage group has toyed with cloud infrastructure since 2016, the use of open source tools has only happened in the past two years, Microsoft said in its own analysis.

By using commodity services and tools, the attackers not only blend into legitimate activity more completely but also become harder to identity as a specific group, says Dennis Wilson, global director of SpiderLabs at Trustwave, a security services firm.

"A sophisticated attacker becomes a lot harder to identify when they use open source tools and readily available cloud assets to perform their attacks," he says, adding that "if 20 or 30 different groups are using the same malware and the same techniques, it becomes much harder to tell them apart by their tools and tactics."

GADOLINIUM is not the only espionage group to use common tools to attempt to escape detection. Several security firms have noted that attackers are increasingly "living off the land" by using administrative tools already installed on targeted systems as a way to hide their activities. For example, another Chinese cyberattack group — known as APT41, Wicked Panda, Barium, or Axiom  —has used widely available tools, such a Microsoft BITSAdmin and the Metasploit framework, to attack a broad cross-section of countries and industries, hitting targets in Australia, Canada, Italy, Japan, Philippines, Qatar, and Sweden, to name a few. 

Earlier this month, the US Department of Justice charged five Chinese nationals and two Malaysian citizens as part of an investigation into APT41, alleging they worked together on intrusions into more than 100 US companies.

"The Department of Justice has used every tool available to disrupt the illegal computer intrusions and cyberattacks by these Chinese citizens," Deputy Attorney General Jeffrey A. Rosen, said in a statement announcing the arrests. "Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China."

In the attack incident Microsoft described in its analysis, GADOLINIUM used a variant of PowerShell, known as PowerShell Empire, to connect to both Azure Active Directory and Microsoft's OneDrive storage. Automated systems have a hard time detecting such attacks, as the variant of PowerShell and the fact that is connecting to a known cloud service are usually not considered suspicious activity, Microsoft stated in its analysis.

"The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify," MSTIC stated in its blog post. "From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs."

Another advantage of basing cyberattack infrastructure in the cloud is because an increasingly number of targeted companies and organizations also have assets in the cloud. Using the same infrastructure as the target can make exploitation easier, says Trustwave's Wilson.

"If you find a tactic that works against Microsoft Azure, for example, they can apply that same tactic or technique to any organization that uses that same technology," he says. "In the past, a company may have had this vendor for a firewall and this vendor for an [endpoint detection and response] solution, but now you have a lot of companies using the same cloud infrastructure, so now it becomes a cookie-cutter approach for the attackers to exploit companies across that infrastructure."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-21269
PUBLISHED: 2020-10-27
checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
CVE-2020-27743
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
CVE-2020-1915
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
CVE-2020-26878
PUBLISHED: 2020-10-26
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
CVE-2020-26879
PUBLISHED: 2020-10-26
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.