As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, an identity-related attack targets Johnson Controls, the MOVEit breach claims more victims in Canada and the U.S., and the Royal ransomware group claims the City of Dallas breach.
Johnson Controls devices encrypted in ransomware attack
Automation company Johnson Controls reported large-scale IT outages after a ransomware attack encrypted devices across the organization. A threat researcher uncovered a ransomware note claiming that the attackers used a VMware ESXi encryptor developed by Dark Angels, a ransomware group that uses various tactics to breach networks and move laterally to gain control of Windows domain controllers.
MOVEit breach claims victims in Canada and US
The MOVEit data theft attacks by Clop ransomware group claimed several victims in Canada and the US, including the Hospital for Sick Children, the BORN Ontario child registry, and National Student Clearinghouse in the US. Clop’s attack methods include targeting the victim’s entire network by compromising the Active Directory (AD) server and dropping malware.
Royal ransomware group claims City of Dallas breach
An attack on the City of Dallas in May that shut down IT systems was claimed by the Royal ransomware group, which stole a domain service account that the attackers then used to exfiltrate files and drop Cobalt Strike payloads.
BlackCat/ALPHV targets casino group
BlackCat/ALPHV ransomware group claimed an attack on MGM that disrupted operations. The BlackCat/ALPHV, which routinely targets Active Directory to gain entry into information systems before dropping malware, also uses the Sphynx encryptor to target Azure cloud storage accounts.
Iranian APT33 attackers hit defense orgs in password spray attacks targeting Entra ID (Azure AD)
Microsoft reported that the Iranian APT33 cybercriminal group used password spray tactics to gain access to Entra ID (Azure AD) credentials in widespread breaches against global defense organizations.