Identity Attack Watch: January 2022

By Semperis Research Team January 28, 2022 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

In this month’s issue: A phishing campaign exploits Azure AD environments that lack MFA enforcement, LockBit ransomware group repeatedly strikes in Europe, and researchers uncover a fast-moving noPac AD exploit.

Phishing attack exploits failure to enforce Azure AD MFA policies

Microsoft issued warnings about a new multi-phase phishing campaign that enrolls the attacker’s device through Azure Active Directory on corporate networks, exploiting cases where MFA is not enforced. After successfully registering the device, the attacker can steal credentials for use in broader penetration of the target organization.

Read more

LockBit ransomware group hits European businesses and French Ministry of Justice

Nearly a dozen businesses as well as the French Ministry of Justice were victims of a ransomware attack by LockBit ransomware-as-a-service (RaaS) group, which uses a malware deployment method that automates delivery to Active Directory clients through Group Policy Objects (GPO).

Read more

Researchers uncover noPac Active Directory exploit that can compromise DCs in seconds

An exploit called noPac that combines two Microsoft Active Directory flaws could lead to privileged escalation and domain controller compromise within seconds. The exploit elevates privileges of a regular domain user to domain admin.

Read more

More resources

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo