Semperis Identity Attack Watch: January 2021

By Semperis Research Team February 04, 2021 | Active Directory

Cyberattacks targeting Active Directory are on the upswingputting pressure on AD, identity, and security teams to monitor the constantly shifting AD threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.  

This monththe Semperis Research Team highlights an exploit that targeted the “AD of SAP,” ghost attacks that involved AD, and an AD-related attack by the REvil ransomware group.

Hackers exploit the “Active Directory of SAP 

Hackers posted an exploit on GitHub that targeted a security vulnerability in software from SAP, a global leader in ERP systems for enterprises. The vulnerability being exploited is a critical one in the SolMan” administrative applicationmeaning it is the “Active Directory of SAP. Successful exploitation lets attackers gain complete access to the targets ERP as well as pivot into the enterprise through connectivity to other systems, such as Active Directory. 

Read more 

Ghost attacks target Active Directory 

Research firm Sophos reported that recent ghost attacks targeted Active Directory to compromise companies’ systems. In one incident, attackers created a new user account and added it to the targeted organization‘s AD domain admin group. The cybercriminals were then able to use the new domain admin account to delete about 150 virtual servers and encrypt the server backups—undetected 

In a second, unrelated incident, the Netfilim ransomware group locked more than 100 systems at a target organization by gaining entry to an unmonitored admin account in AD belonging to a deceased employee.  

Read more 

Dairy Farm suffers REvil ransomware attack 

Active Directory continues to be a popular point of compromise and access for the ransomware group REvil, which recently compromised Dairy Farm Group’s network and encrypted devices, demanding an alleged $30 million ransom. In this instance, REvil used a screenshot of Dairy Farm’s compromised AD as proof of a broader control over the company’s network and critical assets. 

Read more 

More Resources 

Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.  

About the author
Semperis Research Team
Semperis Research Team
The Semperis Research Team continuously studies the ways cyber criminals are plotting to compromise organizations' information systems—particularly by exploiting vulnerabilities in Active Directory—now and in the future. Their work provides guidance for the security community in protecting against AD-related attacks and informs the development of products that help organizations increase their cyber resilience. Linkedin
Unlock cyber resilience. Get a demo