Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights identity-related cyberattacks including LockFile’s abuses of ProxyShell and PetitPotam flaws, surging LockBit 2.0 attacks, and the expanding Hive exploits.
LockFile attackers accelerate use of ProxyShell Exchange Server and PetitPotam flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that LockFile attackers are actively exploiting the ProxyShell Exchange Server flaw and the PetitPotam vulnerability to gain access to Active Directory and attendant networks and subsequently drop malware.
LockBit 2.0 attacks surge
The rise in LockBit 2.0 attacks, which include a breach of global consulting firm Accenture’s systems, prompted the Australian Cyber Security Centre to release a warning about a “sharp and significant increase” in reported attacks. LockBit 2.0 automatically encrypts devices across Windows domains by abusing Active Directory group policies.
Hive takedown of health system triggers FBI alert
The FBI issued an alert and a list of Indicators of Compromise (IOCs) associated with Hive ransomware after the group took down Memorial Health System, which operates in Ohio and Virginia. Among various other tactics, Hive uses remote admin software such as ConnectWise to infiltrate systems and establish persistence, then deploys tools like ADRecon to map the Active Directory environment.
Nokia subsidiary suffers Conti ransomware attack
SAC Wireless, a Nokia subsidiary, was hit with a ransomware attack by Conti group, which breached the network, stole data, and encrypted systems. The attack prompted the company to bolster system access policies and expand multi-factor authentication (MFA) requirements, among other remediation actions.
REvil suspected in Nevada hospital attack
The University Medical Center Southern Nevada reported a ransomware attack that analysts say could be the work of the REvil group, which uses various tactics to breach systems, including exploiting administrator privileges.
Crytek game developer reports Egregor ransomware attack
Ransomware-as-a-service group Egregor breached game developer Crytek’s information systems, encrypting data and stealing customer information. Egregor, which was responsible for notorious attacks on retailers Barnes & Noble and Kmart, exploits Active Directory misconfigurations to breach networks.
BazaCall threats use phone centers to drop malware
Microsoft stepped up warnings about BazaCall threats, which trick victims into calling into a fraudulent phone center and downloading BazaLoader ransomware with step-by-step guidance from human operators. After the initial breach, attackers use ADFind (a free command-line AD discovery tool) to escalate reconnaissance across victims’ systems.