As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. This month’s roundup includes large-scale MOVEit exploitation attacks by Clop ransomware group, BlackCat attacks on Reddit and Australian law firm HWL, and more.
Clop gang claims MOVEit attacks
The Clop ransomware gang claimed responsibility for large-scale attacks that exploit zero-day vulnerabilities in the MOVEit Transfer managed file transfer (MFT) solution. Victims include the New York City Department of Education, Virginia insurance provider Genworth Financial, the California Public Employees’ Retirement System (CalPERS), the Louisiana Office of Motor Vehicles, and Oregon Driver & Motor Vehicle Services. Clop’s attack methods include targeting the victim’s entire network by compromising the Active Directory (AD) server and dropping malware.
Microsoft fixes authorization flaw enabling Azure AD account takeover
Microsoft released a patch for an authentication flaw in Azure AD that allows malicious actors to escalate privileges and take over accounts. Organizations vulnerable to the misconfiguration included a design app, a customer experience company, and a multi-cloud consulting firm.
Grafana releases patch for flaw that allows Azure AD authentication bypass
Grafana, an open-source analytics and visualization app, released security fixes to address a vulnerability that allows cyberattackers to bypass Azure AD authentication and take over Grafana accounts.
ALPHV/BlackCat ransomware group threatens to leak data from Reddit breach
The BlackCat ransomware group (aka ALPHV) claimed the February attack on Reddit and has threatened to leak data if ransom demands aren’t met. BlackCat also claimed an April attack on Australian company HWL Ebsworth and published 1.45TB of stolen data. Suspected of being connected to REvil and to the BlackMatter (Darkside) group that hit Colonial Pipeline in May 2021, BlackCat targets Active Directory to gain entry into information systems before dropping malware.