Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights data wiper malware used in cyberattacks that took out Ukrainian government and banking web sites, missteps by NOAA that facilitated Colonial Pipeline and other attacks, and Conti’s acquisition of TrickBot talent to expand attack techniques.
Cyberattackers targeting Ukraine gain Active Directory control to drop data wiper malware
In the first hours of the Russian attack on Ukraine, cyberattackers took Ukrainian government agencies and banks offline by dropping data wiper malware. In at least one case, cyberattackers gained control of the Active Directory server before dropping the wiper malware through domain policy GPO.
Audit: NOAA “inadequately” managed Active Directory, leading to Colonial Pipeline and other exploits
According to an audit from the U.S. Office of Inspector General, the National Oceanic and Atmospheric Administration (NOAA) “inadequately” managed Active Directory and failed to secure prime targets such as user credentials—vulnerabilities that were exploited in the Colonial Pipeline attack as well as other attacks that allowed ransomware groups DarkSide and REvil to gain remote access to U.S. entities.
Conti acquires TrickBot talent to expand Active Directory exploits
Ransomware group Conti has hired former TrickBot penetration specialists to expand its ability to gain Active Directory domain admin credentials in victim organizations’ systems before deploying ransomware. Cybercriminals recently used a phishing campaign on U.S. Postal Service customers to trick them into installing TrickBot malware.
Red Cross attacks exploit third-party software flaw to compromise Active Directory
Malicious actors used a flaw in Zoho ManageEngine ADSelfService Plus to attack the International Committee of the Red Cross (ICRC), compromising data of more than 515,000 people. The unpatched flaw enabled the attackers to compromise administrative accounts, move laterally through the system, and exfiltrate Windows registry hives and AD files.
FBI warns about LockBit 2.0 attacks
The U.S. Federal Bureau of Investigation (FBI) released indicators of compromise (IOCs) associated with LockBit 2.0 ransomware, which uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.