Identity Attack Watch: February 2022

By Semperis Research Team February 25, 2022 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights data wiper malware used in cyberattacks that took out Ukrainian government and banking web sites, missteps by NOAA that facilitated Colonial Pipeline and other attacks, and Conti’s acquisition of TrickBot talent to expand attack techniques.

Cyberattackers targeting Ukraine gain Active Directory control to drop data wiper malware

In the first hours of the Russian attack on Ukraine, cyberattackers took Ukrainian government agencies and banks offline by dropping data wiper malware. In at least one case, cyberattackers gained control of the Active Directory server before dropping the wiper malware through domain policy GPO.

Read more

Audit: NOAA “inadequately” managed Active Directory, leading to Colonial Pipeline and other exploits

According to an audit from the U.S. Office of Inspector General, the National Oceanic and Atmospheric Administration (NOAA) “inadequately” managed Active Directory and failed to secure prime targets such as user credentials—vulnerabilities that were exploited in the Colonial Pipeline attack as well as other attacks that allowed ransomware groups DarkSide and REvil to gain remote access to U.S. entities.

Read more

Conti acquires TrickBot talent to expand Active Directory exploits

Ransomware group Conti has hired former TrickBot penetration specialists to expand its ability to gain Active Directory domain admin credentials in victim organizations’ systems before deploying ransomware. Cybercriminals recently used a phishing campaign on U.S. Postal Service customers to trick them into installing TrickBot malware.

Read more

Red Cross attacks exploit third-party software flaw to compromise Active Directory

Malicious actors used a flaw in Zoho ManageEngine ADSelfService Plus to attack the International Committee of the Red Cross (ICRC), compromising data of more than 515,000 people. The unpatched flaw enabled the attackers to compromise administrative accounts, move laterally through the system, and exfiltrate Windows registry hives and AD files.

Read more

FBI warns about LockBit 2.0 attacks

The U.S. Federal Bureau of Investigation (FBI) released indicators of compromise (IOCs) associated with LockBit 2.0 ransomware, which uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.

Read more

More resources

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo