As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s roundup, Spain warns of phishing attacks that used LockBit Locker ransomware, Rhysida ransomware group claimed an attack on Prospect Medical, and BlackCat targeted Seiko watch manufacturer.
LockBit Locker ransomware campaign targets architecture firms in Spain
A ransomware group believed to be unaffiliated with the LockBit group used LockBit Locker encryption technology in a campaign against Spanish architecture companies. The campaign uses phishing emails impersonating a photography store to gain access to admin privileges on Windows machines.
Rhysida group claims attack on Prospect Medical
The Rhysida ransomware group claimed an attack on Prospect Medical Holdings that extracted 500,000 Social Security numbers, corporate documents, and patient records. Among other tactics, Rhysida uses a PowerShell script to compromise machines, including terminating RDP configurations and changing Active Directory passwords.
BlackCat claims attack on Seiko watch manufacturer
Japanese watchmaker Seiko suffered a ransomware attack by the BlackCat/ALPHV group that leaked production plans, employee passport scans, lab test results, and prospective watch design information. BlackCat targets Active Directory to gain entry into information systems before dropping malware.
Cuba ransomware group targets critical infrastructure in U.S. and Latin America
The Cuba ransomware group compromised critical infrastructure organizations in the U.S. and Latin America by exploiting a vulnerability in Microsoft’s NetLogon protocol to conduct privilege escalation against Active Directory domain controllers.
MOVEit breach extends to Colorado, Missouri, and U.S. government contractor Serco
The MOVEit breach conducted by Clop ransomware hit more victims, including the Colorado Department of Health Care Policy & Financing (HCPF), Missouri’s Department of Social Services, and U.S. government contractor Serco. Clop’s attack methods include targeting the victim’s entire network by compromising the Active Directory (AD) server and dropping malware.