Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights attackers using the Bumblebee Loader to exploit Active Directory services, an Iranian threat group exploiting Log4j in a campaign against Israel, a Windows flaw that could allow attackers to compromise domain controllers, and more.
Attackers use Bumblebee loader to exploit Active Directory services
Threat actors are using the Bumblebee loader to conduct privilege escalation, reconnaissance, and credential theft on target networks. The cybercriminals then use stolen credentials of a highly privileged user to gain access to Active Directory.
Nobelium threat group uses MagicWeb capability to maintain access to compromised systems
The threat group responsible for the SolarWinds attack has devised a way to maintain persistence in compromised environments through a capability called MagicWeb. After gaining access to highly privileged credentials and moving laterally to gain privileges to an Active Directory Federated Services (ADFS) system, Nobelium uses MagicWeb to create a backdoor. Threat actors can also use MagicWeb to infiltrate Azure AD.
Iranian attackers exploit Log4j in campaign against Israel
An Iranian threat group known both as MuddyWater and Mercury is exploiting the Log4j vulnerability to compromise Israeli corporate networks. The group uses Log4j flaws to gain access to systems, then elevates privileges and uses Mimikatz to continue harvesting credentials from Active Directory domain controllers.
Windows flaw could allow attackers to gain control of DCs
A vulnerability (CVE-2022-30216) in remote procedure calls (RPC) for the Windows Server service could allow cybercriminals to gain control over domain controllers (DCs)—including services and data—in specific network configurations.
Agenda ransomware group targets Active Directory to deploy malware
Ransomware group Agenda has targeted Windows-based systems in attacks against healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand. Agenda uses leaked credentials to gain access to Active Directory, install scanning tools, create Group Policy Objects, and deploy ransomware on machines across the network.
Chinese APT group targets military and research organizations with identity-related attacks
By targeting known vulnerabilities and using known detection evasion techniques, a Chinese APT group has launched campaigns against military and research organizations that involve compromising domain controllers and conducting Kerberoasting attacks on Active Directory.
Russian APT group targets Microsoft 365 accounts to compromise Azure AD
Russian threat group CozyBear (aka APT29 and Nobelium) has targeted Microsoft 365 accounts in espionage campaigns against NATO countries. The group exploits the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory to conduct brute force attacks on usernames and passwords.