Identity Attack Watch: April 2022

By Semperis Research Team April 29, 2022 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against cyberattacks targeting Active Directory, the Semperis Research Team offers this monthly roundup of recent attacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights BlackCat attacks that triggered an FBI warning, a Conti group attack on Panasonic, a Hive hit on a California health company, and more.

BlackHat ransomware activity triggers FBI warning

The U.S. Federal Bureau of Investigation (FBI) issued a warning about BlackCat (aka ALPHV) ransomware-as-a-service (RaaS) group, which has attacked dozens of organizations globally since November 2021. Suspected of being connected to REvil and to the BlackMatter (Darkside) group that hit Colonial Pipeline in May 2021, BlackCat targets Active Directory to gain entry into information systems before dropping malware.

Read more

Russian companies hit by leaked Conti ransomware

Tools originally developed by Russian ransomware group Conti and leaked by a Ukrainian ransomware developer were used to attack multiple Russian companies. Conti’s tactics include gaining Active Directory domain admin credentials before deploying ransomware.

Read more

Hive ransomware group attacks Partnership HealthPlan of California

Ransomware group Hive claimed responsibility for an attack that extracted private data for 850,000 members of Partnership HealthPlan of California. Among other tactics, Hive uses remote admin software to infiltrate systems and establish persistence, then deploys tools such as ADRecon to map the AD environment.

Read more

Conti claims responsibility for attack on Panasonic’s Canadian operations

In the second breach since November 2021, Panasonic reported that its Canadian operations were the victim of a targeted cyberattack. Conti ransomware group, which recently hired former TrickBot talent to expand its ability to compromise Active Directory domain credentials, claimed responsibility.

Read more

More resources

 

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo