Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights a new Windows zero-day vulnerability that can give malicious actors admin privileges, an attack on an Ohio hospital, and new evidence that ProxyShell vulnerabilities can lead to domain-wide compromises.
New Windows zero-day vulnerability grants admin privileges
A security researcher uncovered a new Windows zero-day local privilege elevation flaw that grants admin privileges to Windows 10, Windows 11, and Windows Server. Malicious actors with only limited access to a compromised device can use this vulnerability to elevate privileges and move laterally through an organization’s network.
Ohio hospital is latest healthcare provider victim in string of ransomware attacks
Southern Ohio Medical Center was hit with a ransomware attack that disrupted patient care and compromised patient data, becoming the latest in a string of incidents targeting healthcare providers in recent weeks. Johnson Memorial Health is still struggling to recover from an attack attributed to the ransomware group Hive, which uses remote admin software to infiltrate systems and establish persistence, then deploys tools like ADRecon to map the Active Directory environment.
Evidence mounts that ProxyShell vulnerabilities can lead to domain-wide attacks
Unpatched Exchange Server ProxyShell vulnerabilities revealed in July 2021 can enable privilege escalation and remote code execution. According to the DBIR Report, an unpatched Exchange Server customer suffered a ransomware attack that exploited the unpatched vulnerabilities and led to a domain-wide compromise.