Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
In this month’s issue: A phishing campaign exploits Azure AD environments that lack MFA enforcement, LockBit ransomware group repeatedly strikes in Europe, and researchers uncover a fast-moving noPac AD exploit.
Phishing attack exploits failure to enforce Azure AD MFA policies
Microsoft issued warnings about a new multi-phase phishing campaign that enrolls the attacker’s device through Azure Active Directory on corporate networks, exploiting cases where MFA is not enforced. After successfully registering the device, the attacker can steal credentials for use in broader penetration of the target organization.
LockBit ransomware group hits European businesses and French Ministry of Justice
Nearly a dozen businesses as well as the French Ministry of Justice were victims of a ransomware attack by LockBit ransomware-as-a-service (RaaS) group, which uses a malware deployment method that automates delivery to Active Directory clients through Group Policy Objects (GPO).
Researchers uncover noPac Active Directory exploit that can compromise DCs in seconds
An exploit called noPac that combines two Microsoft Active Directory flaws could lead to privileged escalation and domain controller compromise within seconds. The exploit elevates privileges of a regular domain user to domain admin.
More resources
