Semperis Research Team

Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights the emerging Bloody Ransomware Gang, an SEO poisoning campaign that could lead to an Active Directory compromise, and multiple attacks claimed by the Hive ransomware group.

Emerging ransomware group uses leaked LockBit builder in attacks on Ukrainian entity

The Bloody Ransomware Gang, which started operating in May 2022 with attacks on New York medical and dental practices, used a LockBit 3.0 ransomware builder that was leaked on Twitter to launch attacks on a Ukrainian organization. The LockBit group uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.

Read more

SEO poisoning campaign compromises multiple organizations

Cybercriminals used an SEO poisoning campaign to attack several organizations by targeting employees who use certain search terms and leading them to click on malicious search results. Victims who click on resources offered in fake forum pages unleash malware that collects user information that could expose the internal corporate domain name of the organization, potentially leading to an Active Directory compromise.

Read more

Lapsus$ breaches Uber’s internal systems

Teenage cybercrime group Lapsus$ claimed responsibility for an attack that compromised Uber’s systems, including its Slack channel and intranet websites. Microsoft has warned of various tactics Lapsus$ uses, including exploiting flaws in tools such as Confluence and GitLab to obtain privileged account credentials and use a built-in Microsoft command (ntdsutil) to extract the AD database of a targeted network.

Read more

Hive group claims responsibility for attacks on organizations in New York and Canada

The Hive ransomware group took credit for attacks last summer on the New York Racing Association and Empress EMS, a New York-based emergency service and ambulance provider. Hive also recently claimed an attack on the Bell Canada subsidiary Bell Technical Solutions. Among other tactics, Hive uses remote admin software to infiltrate systems and establish persistence, then deploys tools such as ADRecon to map the AD environment.

Read more

BlackCat claims attack on Italian energy agency

The BlackCat (aka AlphV) ransomware group claimed responsibility for an attack on Italian energy agency Gestore dei Servizi Energetici SpA (GSE) that took out its web site and other systems. Microsoft recently warned that the BlackCat ransomware group targets Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.

Read more

More resources