As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s roundup, LockBit targets Papercut servers, BlackBasta hits the Canadian Yellow Pages, and BlackCat/ALPHV compromises NCR’s Aloha point-of-sale (POS) system.
Papercut attacks attributed to Clop and LockBit ransomware groups
Microsoft attributed attacks on Papercut printing management software to the Clop and LockBit ransomware groups. LockBit’s tactics include exploiting Active Directory Group Policy vulnerabilities.
Black Basta claims attacks on Canadian Yellow Pages and Capita
Ransomware-as-a-service (RaaS) group Black Basta claimed responsibility for an attack on Canadian directory publisher Yellow Pages Group. Black Basta uses various tactics to compromise systems, including deploying QBot, which extracts Windows domain credentials and then drops malware on infected devices. Black Basta also claimed an attack on Capita, a London-based outsourcing group. That attack prevented access to Capita’s Microsoft Office 365 applications.
BlackCat/ALPHV claims attack on NCR
BlackCat hit NCR’s Aloha POS platform with an attack that targeted its datacenters, causing an outage that affected routine operations including payroll services. BlackCat’s tactics include targeting Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.