Identity Attack Watch: June 2021

By Semperis Research Team June 25, 2021 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights identity-related cyberattacks including breaches at JBS, FujiFilm, and more—plus, details about the tactics used in the Colonial Pipeline attack.

Colonial Pipeline attack traced to inactive account

The Darkside ransomware group used a compromised password to gain access to an inactive VPN account in Colonial Pipeline’s network, a ploy that succeeded in shutting down the company’s 5,500-mile gas pipeline for 5 days and cost the company an estimated $5 million in ransom.

Read more

FujiFilm network breached in ransomware attack

Japanese conglomerate FujiFilm was forced to partially shut down operations in early June after its network was infected with Qbot malware currently being used by the REvil ransomware group. The Qbot malware gains remote access into compromised networks, paving the way for lateral movement throughout the environment and encryption of data.

Read more

JBS meat producer paid $11 million to REvil ransomware group after attack

JBS paid REvil ransomware group $11 million to decrypt files that were compromised in a cyberattack in late May. JBS officials said they needed the decryptor to restore only a couple of databases—the rest of the data was recovered from backups. JBS was forced to shut down some food production sites while negotiations were in progress.

Read more

REvil targets U.S. nuclear weapons contractor Sol Oriens

Sol Oriens, a consulting company that manages technologies for military and space applications, was hit by REvil ransomware group, which breached the company’s system and acquired documents. REvil referenced Sol Oriens’ ties to military agencies in a statement posted on its leak site.

Read more

UK National Cyber Security Centre calls for increased cyberattack defenses in education sector

The UK’s National Cyber Security Center (NCSC) warned about upticks in cyberattacks in the education sector, calling attention to the need for schools and other education entities to shore up defenses against tactics that exploit weak passwords, lack of multi-factor authentication, and unpatched vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs).

Read more

U.S. House engagement vendor iConstitutent compromised in ransomware attack

An automated messaging vendor used by the U.S. House of Representatives for communications with constituents was struck by a ransomware attack that prevented House offices from accessing data.

Read more

 

More Resources

Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo