Cyberattacks targeting Active Directory (AD) are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
In this April roundup, the Semperis Research Team highlights identity-related cyberattacks, including ransomware attacks on UK-based education charity Harris Federation and Broward County schools in Florida, a malicious software update to Click Studios’ Passwordstate, as well as a new form of ransomware, Cring, that exploits vulnerabilities in VPN servers by compromising authentication credentials.
Ransomware attack shuts down UK-based education charity Harris Federation
Harris Federation, a UK-based education charity that runs 50 primary and secondary academies, suffered a ransomware attack that disabled its email and telephone systems. The National Cyber Security Centre warned that ransomware attacks are targeting schools during the COVID-19 pandemic because of the increased use of remote devices that access school information systems through Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs), which often have faulty identity configurations and weak passwords.
Conti group attacks Broward County schools in Florida
A breach of the Broward County school district in Florida by Conti group likely used credentials stolen through phishing to steal student and employee information and infect the district’s information systems with malware.
New ransomware Cring compromises authentication credentials
Kaspersky researchers reported a new form of ransomware, Cring, that exploits security vulnerabilities in VPN servers to access authentication credentials and encrypt networks. The report highlights an unspecified victim in Europe that suffered a shutdown of business operations. Once the system was breached, attackers used Cobalt Strike to gain additional control over the infected systems.
‘Supply chain’ attack on password manager exposes users’ passwords
Attackers implanted malware into a software update to Click Studios’ password manager platform Passwordstate, potentially exposing 29,000 customers to exfiltration of passwords and other data. The breach occurred between April 20 and April 22. Researchers from CSIS Security Group revealed the attack dubbed Moserpass. The infiltration of malware into software updates is a growing threat – and was involved in the recent SolarWinds supply chain attack.
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.