Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights identity-related cyberattacks, including escalation of Russian cyberattacks on U.S. federal agencies; state-sponsored attack on a U.S. local government that exploited bugs in a Fortinet appliance; the Colonial Pipeline attack, which targeted Windows vulnerabilities; the MountLocker ransomware attack, which exploited Windows Active Directory APIs; and more.
Microsoft reports that Russian cybercriminals behind SolarWinds attack are escalating efforts
A blog post from Microsoft Vice President Tom Burt warned that the Russian cybercriminals behind the SolarWinds attack are escalating their efforts, unleashing an attack that granted access to email accounts of about 150 organizations through Constant Contact, an email marketing services used by the U.S. Agency for International Development (USAID).
FBI: APT cybercriminals exploited Fortinet bugs to attack U.S. local government
The FBI reports that state-sponsored advanced persistent threat (APT) actors exploited weaknesses in a Fortinet appliance to breach the web servers of a U.S. local government organization. After gaining access, the cybercriminals moved laterally through the network to create new domain controller, server, and workstation user accounts.
Colonial Pipeline attackers targeted Windows vulnerabilities, including AD
The Colonial Pipeline ransomware attack that shut down 5,500 miles of fuel pipeline gave further evidence that the ransomware group responsible for the attack, DarkSide, favors targeting Windows vulnerabilities, according to Semperis Director of Services Sean Deuby in a Cyber Security Asean report.
Conti attack on Ireland’s Health Services leveraged access to Windows domain credentials
Conti, the group responsible for the cyberattack on Ireland’s Health Services, applied a tried-and-true approach of using phishing attacks to install trojans that provided remote access to infected machines, leveraging that access to tap into Windows domain credentials, then deploying ransomware across the network.
MountLocker ransomware exploits Windows Active Directory APIs
Ransomware-as-a-service MountLocker now uses Windows Active Directory APIs to invade networks, according to a Bleeping Computer report. After using the API to connect to the victim’s AD services, MountLocker attackers can find devices in the compromised domain and encrypt them using stolen domain credentials.
CISA calls for review of permissions to combat FiveHands ransomware variant
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a relatively new ransomware variant called FiveHands exploits Microsoft technology vulnerabilities. CISA recommends preventative measures including implementing least account privileges and enabling multi-factor authentication on privileged accounts.
Northern California county ransomware attack remediation required AD recovery
The IT team of Yuba County, California, provided a detailed account of their recovery from a ransomware attack, which included restoring Active Directory after cybercriminals created a fraudulent enterprise admin account and encrypted 50 PCs and 100 servers.
Analyst presents findings that faulty permissions led to breach of veterans’ med records
An analyst claimed that as many as 200,000 medical records of U.S. Veterans Administration patients might have been compromised by a ransomware gang that exploited a database that was left open by a vendor, allowing anyone to edit records without administrative credentials and exposing passwords and billing information.
Report: Risky Exchange operations top Azure Active Directory threat detection list
A new report on threat detections for Azure Active Directory and Office 365 has identified risky Exchange operations as the top threats based on frequency, and highlights the challenges of managing permissions in hybrid identity environments.
Bose post-attack preventative measures included password resets and enhanced monitoring for account changes
After being hit with a ransomware that compromised some customer data, audio equipment maker Bose implemented preventative measures against future attacks that included password resets for all end users and privileged accounts, enhanced monitoring and logging to detect future changes to accounts, and changed access keys for all service accounts.
More Resources
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.