Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights identity-related cyberattacks including breaches at JBS, FujiFilm, and more—plus, details about the tactics used in the Colonial Pipeline attack.
Colonial Pipeline attack traced to inactive account
The Darkside ransomware group used a compromised password to gain access to an inactive VPN account in Colonial Pipeline’s network, a ploy that succeeded in shutting down the company’s 5,500-mile gas pipeline for 5 days and cost the company an estimated $5 million in ransom.
FujiFilm network breached in ransomware attack
Japanese conglomerate FujiFilm was forced to partially shut down operations in early June after its network was infected with Qbot malware currently being used by the REvil ransomware group. The Qbot malware gains remote access into compromised networks, paving the way for lateral movement throughout the environment and encryption of data.
JBS meat producer paid $11 million to REvil ransomware group after attack
JBS paid REvil ransomware group $11 million to decrypt files that were compromised in a cyberattack in late May. JBS officials said they needed the decryptor to restore only a couple of databases—the rest of the data was recovered from backups. JBS was forced to shut down some food production sites while negotiations were in progress.
REvil targets U.S. nuclear weapons contractor Sol Oriens
Sol Oriens, a consulting company that manages technologies for military and space applications, was hit by REvil ransomware group, which breached the company’s system and acquired documents. REvil referenced Sol Oriens’ ties to military agencies in a statement posted on its leak site.
UK National Cyber Security Centre calls for increased cyberattack defenses in education sector
The UK’s National Cyber Security Center (NCSC) warned about upticks in cyberattacks in the education sector, calling attention to the need for schools and other education entities to shore up defenses against tactics that exploit weak passwords, lack of multi-factor authentication, and unpatched vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs).
U.S. House engagement vendor iConstitutent compromised in ransomware attack
An automated messaging vendor used by the U.S. House of Representatives for communications with constituents was struck by a ransomware attack that prevented House offices from accessing data.
More Resources
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.
