Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used identity system breaches to introduce or propagate malware.
This month, the Semperis Research Team highlights the Active Directory connection to the Microsoft Exchange Hanium attack and other identity-related attacks, including stolen Mimecast source code, a breach of the Verdaka video platform, and a ransomware attack on retailer FatFace.
Microsoft Exchange breach involved stolen copies of AD databases
The Microsoft Exchange breach by Hafnium targeted victim companies’ on-premises Exchange servers and allowed the attackers to compromise Active Directory, according to Volexity. In addition to conducting operations to dump credentials and add user accounts, the attacker was able to steal copies of Active Directory databases and move laterally to other systems and environments.
SolarWinds attackers targeted Mimecast’s AD systems to access source code
The attackers responsible for the SolarWinds breach also targeted Mimecast, stealing a certificate used to authenticate customers and downloading source code. The threat actor accessed Mimecast’s Windows environment and used service account credentials to breach Mimecast’s on-premises systems and cloud services, including Azure Active Directory.
Attackers used admin credentials to breach Verdaka video network
The APT-69420 Arson Cats group accessed super admin credentials to breach more than 150,000 surveillance cameras managed by Verdaka, a software platform that integrates video security cameras, access control solutions, and other technology. After finding credentials on a publicly exposed plugin on the Verdaka server, the attackers logged in to the company’s web app with elevated privileges and navigated through live video feeds from thousands of cameras.
Attack group advises victim FatFace to review AD policies
After demanding a $2 million ransom, attack group Conti advised its victim, fashion retailer FatFace, to review its Active Directory password policy. Conti also advised FatFace to implement other preventative measures such as implementing email filtering, conducting employee phishing tests, investing in better endpoint detection and response technology, and implementing offline storage and tape-based backup. The group gained access to FatFace’s network through a phishing attack, gained general administrative rights, and extracted data from backup servers and storage devices.
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.