Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights increased activity by Conti, BlackCat attackers targeting Exchange servers, and more.
Conti group attacks 40 organizations in one month
The Conti ransomware-as-a-service (RaaS) group conducted a campaign that breached more than 40 organizations in one month at the end of 2021. Conti, whose tactics include compromising Active Directory domain credentials, frequently monitors Windows updates and analyzes changes from new patches to uncover new attack approaches.
CISA urges organizations to adopt Exchange Online Modern Auth
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) urged agencies and private organizations that use the Microsoft Exchange cloud email platform to switch from legacy authentication models to Modern Auth (Active Directory Authentication Library and OAuth 2.0 token-based authentication) to guard against password spray attacks.
BlackCat attackers target Exchange servers to gather Active Directory info
Microsoft recently warned that the BlackCat ransomware group is now targeting Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads. In addition to updating Exchange servers and monitoring external network access, Microsoft recommends that organizations review their identity security posture.
Vice Society ransomware group attacks Italian city of Palermo
Vice Society, which exploits known vulnerabilities on unpatched systems—including the PrintNightmare flaw—claimed responsibility for a cyberattack on Palermo, Italy. The attack caused a large-scale outage of online services.
Black Basta group partners with QBot malware operation to compromise corporate environments
Black Basta, a new ransomware group, has found quick success in compromising corporate environments by teaming up with the makers of QBot (aka QuakBot), Windows malware that steals bank credentials and Windows domain credentials, then drops malware on infected devices.