Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights LockBit’s ransomware attacks on small towns and the Italian tax agency, Black Basta’s hit on materials manufacturer Knauf, and more.
LockBit ransomware group claims attack on Italian tax agency
LockBit recently claimed responsibility for an alleged cyberattack that extracted 100GB of data from the Italian tax agency. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.
Black Basta attacks building materials manufacturer Knauf
New ransomware group Black Basta claimed responsibility for an attack on German buildings material manufacturer Knauf that forced the company to shut down all IT systems, suspending business operations. To accelerate its operations, Black Basta teamed with the makers of QBot, Windows malware that extracts Windows domain credentials, then drops malware on infected devices.
LockBit targets small towns in Canada and Colorado in ransomware attacks
Although essential services such as transit and water systems were unaffected, the small Canadian town of St. Marys suffered a LockBit ransomware attack that left city officials scrambling to unlock IT systems and restore backup data. LockBit also claimed responsibility for a ransomware attack on Frederick, a small town on the Front Range of Colorado.
Game publisher Bandai Namco suffers BlackCat ransomware attack
Japanese game publisher Bandai Namco (maker of Elden Ring, Dark Souls, and other games) suffered an attack by ransomware group BlackCat that resulted in the theft of customers’ personal data. BlackCat, also known as AlphV, is considered a rebrand of the DarkSide gang. Microsoft recently warned that the BlackCat ransomware group is now targeting Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.