Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights new attacks by LockBit on public entities in California and Portugal, a Hive attack on a Louisiana hospital, and a BlackCat attack on Colombian energy supplier EPM.
LockBit claims attack on Port of Lisbon
The LockBit ransomware group claimed a Christmas Day attack on the Port of Lisbon in Portugal that compromised data but did not affect the port’s operations, although the port’s official website went offline. The port, considered critical infrastructure, is one of the most accessed in Europe, serving container ships, cruise ships, and pleasure boats. LockBit also recently claimed responsibility for an attack on the California Department of Finance. The LockBit group uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.
Hive ransomware group claims attack on Louisiana hospital
The Hive ransomware group claimed responsibility for an October ransomware attack on Lake Charles Memorial Health System in Louisiana that compromised data of about 270,000 patients. Among other tactics, Hive uses remote admin software to infiltrate systems and establish persistence, then deploys tools such as ADRecon to map the AD environment.
BlackCat ransomware group hits Colombian energy supplier EPM
A BlackCat/ALPHV attack on Colombian energy supplier EPM took down operations of one of the country’s largest providers of public energy, water, and gas. Microsoft recently warned that the BlackCat ransomware group targets Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.