Semperis Research Team

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights attackers using the Bumblebee Loader to exploit Active Directory services, an Iranian threat group exploiting Log4j in a campaign against Israel, a Windows flaw that could allow attackers to compromise domain controllers, and more.

Attackers use Bumblebee loader to exploit Active Directory services

Threat actors are using the Bumblebee loader to conduct privilege escalation, reconnaissance, and credential theft on target networks. The cybercriminals then use stolen credentials of a highly privileged user to gain access to Active Directory.

Read more

Nobelium threat group uses MagicWeb capability to maintain access to compromised systems

The threat group responsible for the SolarWinds attack has devised a way to maintain persistence in compromised environments through a capability called MagicWeb. After gaining access to highly privileged credentials and moving laterally to gain privileges to an Active Directory Federated Services (ADFS) system, Nobelium uses MagicWeb to create a backdoor. Threat actors can also use MagicWeb to infiltrate Azure AD.

Read more

Iranian attackers exploit Log4j in campaign against Israel

An Iranian threat group known both as MuddyWater and Mercury is exploiting the Log4j vulnerability to compromise Israeli corporate networks. The group uses Log4j flaws to gain access to systems, then elevates privileges and uses Mimikatz to continue harvesting credentials from Active Directory domain controllers.

Read more

Windows flaw could allow attackers to gain control of DCs

A vulnerability (CVE-2022-30216) in remote procedure calls (RPC) for the Windows Server service could allow cybercriminals to gain control over domain controllers (DCs)—including services and data—in specific network configurations.

Read more

Agenda ransomware group targets Active Directory to deploy malware

Ransomware group Agenda has targeted Windows-based systems in attacks against healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand. Agenda uses leaked credentials to gain access to Active Directory, install scanning tools, create Group Policy Objects, and deploy ransomware on machines across the network.

Read more

Chinese APT group targets military and research organizations with identity-related attacks

By targeting known vulnerabilities and using known detection evasion techniques, a Chinese APT group has launched campaigns against military and research organizations that involve compromising domain controllers and conducting Kerberoasting attacks on Active Directory.

Read more

Russian APT group targets Microsoft 365 accounts to compromise Azure AD

Russian threat group CozyBear (aka APT29 and Nobelium) has targeted Microsoft 365 accounts in espionage campaigns against NATO countries. The group exploits the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory to conduct brute force attacks on usernames and passwords.

Read more

More resources