Identity Attack Watch: July 2022

By Semperis Research Team July 29, 2022 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights LockBit’s ransomware attacks on small towns and the Italian tax agency, Black Basta’s hit on materials manufacturer Knauf, and more.

LockBit ransomware group claims attack on Italian tax agency

LockBit recently claimed responsibility for an alleged cyberattack that extracted 100GB of data from the Italian tax agency. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.

Read more

Black Basta attacks building materials manufacturer Knauf

New ransomware group Black Basta claimed responsibility for an attack on German buildings material manufacturer Knauf that forced the company to shut down all IT systems, suspending business operations. To accelerate its operations, Black Basta teamed with the makers of QBot, Windows malware that extracts Windows domain credentials, then drops malware on infected devices.

Read more

LockBit targets small towns in Canada and Colorado in ransomware attacks

Although essential services such as transit and water systems were unaffected, the small Canadian town of St. Marys suffered a LockBit ransomware attack that left city officials scrambling to unlock IT systems and restore backup data. LockBit also claimed responsibility for a ransomware attack on Frederick, a small town on the Front Range of Colorado.

Read more

Game publisher Bandai Namco suffers BlackCat ransomware attack

Japanese game publisher Bandai Namco (maker of Elden Ring, Dark Souls, and other games) suffered an attack by ransomware group BlackCat that resulted in the theft of customers’ personal data. BlackCat, also known as AlphV, is considered a rebrand of the DarkSide gang. Microsoft recently warned that the BlackCat ransomware group is now targeting Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.

Read more

More resources

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo