Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights identity-related aspects of the SolarWinds breach as well as attacks on an electric utilities company in Brazil and a New York school system.
SolarWinds hearings highlighted gaps in identity security
During the first public congressional hearing on the SolarWinds breach, technology leaders from SolarWinds, Microsoft, FireEye, and CrowdStrike testified before the Senate Intelligence Committee about factors that led to the attack. Microsoft President Brad Smith stated that attackers entered some customers’ systems through on-premises systems, accessed admin credentials, then escalated to online services such as Office 365. The attackers also used common methods such as password spraying, according to Kevin Mandia, CEO of FireEye.
Sean Deuby, Semperis Director of Services, commented in Enterprise Security Tech that some of the tactics used in the breach were not “highly sophisticated, nation-state only tactics; they’re tried-and-true methods used broadly by all bad actors to break into Active Directory in organizations around the world.”
Brazilian electric utility company attack compromised AD
The Darkside group executed a ransomware attack on Brazilian electric utilities company Copel by gaining access to the company’s CyberArk privileged access management solution. The attackers claim to have stolen sensitive information including network maps, backup schemes and schedules, and domain zones for Copel’s public web site and intranet. They also claim to have compromised the Active Directory NTDS.dit file.
Active Directory targeted in malware attack on New York schools
A malware attack on Victor Central Schools in New York encrypted data and systems—including Active Directory—forcing a weeklong school closure. No personal or financial data was compromised; that information was stored in off-site servers. The malware attack is being investigated by the Department of Homeland Security and the FBI.
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.