Identity Attack Watch: December 2021

By Semperis Research Team December 31, 2021 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights actions to mitigate two Active Directory vulnerabilities that could allow attackers to take over Windows domains, the Log4j vulnerability, and new activity from the Cuba ransomware group.

Patching and additional actions advised to address Active Directory vulnerabilities

After releasing security patches for two Active Directory vulnerabilities during the November 2021 Patch Tuesday, Microsoft urged customers on December 20 to apply the patches immediately to prevent attackers from taking over Windows domains. In addition to patching, organizations can take additional actions to prevent unauthorized creation of accounts that could lead to escalation of privileges and an attack.

Read more

Conti ransomware weaponizes Log4j vulnerability

The Russia-based Conti group has developed a comprehensive attack chain based on the Log4j vulnerability in the Apache logging library uncovered in December. The attack methodology includes Kerberoasting, which extracts service account credentials from Active Directory. The Log4j vulnerability is suspected in a ransomware attack on Kronos, one of the largest human resources software companies, disrupting payroll systems for organizations including the New York Metropolitan Transportation Authority (MTA) and many hospitals.

Read more

FBI warns of Cuba ransomware group activity targeting critical infrastructure

The U.S. Federal Bureau of Investigation (FBI) uncovered tactics, including compromised credentials, used by the Cuba ransomware group to compromise dozens of critical infrastructure entities in industries spanning healthcare, government, and other industries.

Read more

ALPHV BlackCat ransomware tactics include configuring domain credentials

Research group MalwareThreatHunter uncovered ALPHV BlackCat, sophisticated new ransomware that includes a customizable feature set that allows threat actors to—among other tactics—configure domain credentials to spread malware and encrypt devices on the network.

Read more

More Resources

Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo