Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights an exploit that targeted the “AD of SAP,” ghost attacks that involved AD, and an AD-related attack by the REvil ransomware group.
Hackers exploit the “Active Directory of SAP”
Hackers posted an exploit on GitHub that targeted a security vulnerability in software from SAP, a global leader in ERP systems for enterprises. The vulnerability being exploited is a critical one in the “SolMan” administrative application—meaning it is the “Active Directory of SAP.” Successful exploitation lets attackers gain complete access to the target’s ERP as well as pivot into the enterprise through connectivity to other systems, such as Active Directory.
Ghost attacks target Active Directory
Research firm Sophos reported that recent ghost attacks targeted Active Directory to compromise companies’ systems. In one incident, attackers created a new user account and added it to the targeted organization‘s AD domain admin group. The cybercriminals were then able to use the new domain admin account to delete about 150 virtual servers and encrypt the server backups—undetected.
In a second, unrelated incident, the Netfilim ransomware group locked more than 100 systems at a target organization by gaining entry to an unmonitored admin account in AD belonging to a deceased employee.
Dairy Farm suffers REvil ransomware attack
Active Directory continues to be a popular point of compromise and access for the ransomware group REvil, which recently compromised Dairy Farm Group’s network and encrypted devices, demanding an alleged $30 million ransom. In this instance, REvil used a screenshot of Dairy Farm’s compromised AD as proof of a broader control over the company’s network and critical assets.
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.