Identity Attack Watch: May 2021

By Semperis Research Team May 28, 2021 | Active Directory

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights identity-related cyberattacks, including escalation of Russian cyberattacks on U.S. federal agencies; state-sponsored attack on a U.S. local government that exploited bugs in a Fortinet appliance; the Colonial Pipeline attack, which targeted Windows vulnerabilities; the MountLocker ransomware attack, which exploited Windows Active Directory APIs; and more.

Microsoft reports that Russian cybercriminals behind SolarWinds attack are escalating efforts

A blog post from Microsoft Vice President Tom Burt warned that the Russian cybercriminals behind the SolarWinds attack are escalating their efforts, unleashing an attack that granted access to email accounts of about 150 organizations through Constant Contact, an email marketing services used by the U.S. Agency for International Development (USAID).

Read more 

FBI: APT cybercriminals exploited Fortinet bugs to attack U.S. local government

The FBI reports that state-sponsored advanced persistent threat (APT) actors exploited weaknesses in a Fortinet appliance to breach the web servers of a U.S. local government organization. After gaining access, the cybercriminals moved laterally through the network to create new domain controller, server, and workstation user accounts.

Read more

Colonial Pipeline attackers targeted Windows vulnerabilities, including AD

The Colonial Pipeline ransomware attack that shut down 5,500 miles of fuel pipeline gave further evidence that the ransomware group responsible for the attack, DarkSide, favors targeting Windows vulnerabilities, according to Semperis Director of Services Sean Deuby in a Cyber Security Asean report.

Read more

Conti attack on Ireland’s Health Services leveraged access to Windows domain credentials

Conti, the group responsible for the cyberattack on Ireland’s Health Services, applied a tried-and-true approach of using phishing attacks to install trojans that provided remote access to infected machines, leveraging that access to tap into Windows domain credentials, then deploying ransomware across the network.

Read more

MountLocker ransomware exploits Windows Active Directory APIs

Ransomware-as-a-service MountLocker now uses Windows Active Directory APIs to invade networks, according to a Bleeping Computer report. After using the API to connect to the victim’s AD services, MountLocker attackers can find devices in the compromised domain and encrypt them using stolen domain credentials.

Read more

CISA calls for review of permissions to combat FiveHands ransomware variant

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a relatively new ransomware variant called FiveHands exploits Microsoft technology vulnerabilities. CISA recommends preventative measures including implementing least account privileges and enabling multi-factor authentication on privileged accounts.

Read more

Northern California county ransomware attack remediation required AD recovery

The IT team of Yuba County, California, provided a detailed account of their recovery from a ransomware attack, which included restoring Active Directory after cybercriminals created a fraudulent enterprise admin account and encrypted 50 PCs and 100 servers.

Read more

Analyst presents findings that faulty permissions led to breach of veterans’ med records

An analyst claimed that as many as 200,000 medical records of U.S. Veterans Administration patients might have been compromised by a ransomware gang that exploited a database that was left open by a vendor, allowing anyone to edit records without administrative credentials and exposing passwords and billing information.

Read more

Report: Risky Exchange operations top Azure Active Directory threat detection list

A new report on threat detections for Azure Active Directory and Office 365 has identified risky Exchange operations as the top threats based on frequency, and highlights the challenges of managing permissions in hybrid identity environments.

Read more

Bose post-attack preventative measures included password resets and enhanced monitoring for account changes

After being hit with a ransomware that compromised some customer data, audio equipment maker Bose implemented preventative measures against future attacks that included password resets for all end users and privileged accounts, enhanced monitoring and logging to detect future changes to accounts, and changed access keys for all service accounts.

Read more

More Resources

Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.

 

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo