As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, Rhysida ransomware group claims attacks on Lurie Children’s Hospital and Sony subsidiary Insomniac Games, BlackCat/ALPHV targets multiple victims, and LockBit attacks Fulton County, Georgia.
Rhysida claims attack on Chicago children’s hospital
The Rhysida ransomware group claimed an attack on Lurie Children’s Hospital, a pediatric acute care facility in Chicago, that took systems offline and postponed medical care. Among other tactics, Rhysida uses a PowerShell script to compromise machines, including terminating RDP configurations and changing Active Directory passwords. Rhysida also claimed an attack on Sony subsidiary Insomniac Games.
BlackCat/ALPHV claims attack on Change Healthcare, Hessen Consumer Center, loanDepot, Prudential Financial
Ransomware gang BlackCat/ALPHV claimed the cyberattack on Optum, a subsidiary of UnitedHealth Group, which disrupted services of the Change Healthcare payment exchange platform used by more than 70,000 US pharmacies. The cyber criminal group, which claims they stole 6TB of Change Healthcare data, uses various methods to compromise organizations’ systems, including Active Directory. BlackCat/ALPHV also claimed attacks on Hessen Consumer Center, a nonprofit organization in Frankfurt, Germany, that provides consumer advocacy information to area residents; loanDepot; and Prudential Financial.
U-Haul customer records compromised in credential theft
An unknown attacker used stolen credentials to compromise customer records of U-Haul, a US company that rents moving equipment and storage units.
LockBit claims attack on Fulton County, Georgia
Fulton County, Georgia, home of Atlanta, was targeted in a LockBit ransomware group attack that caused widespread IT outages.
Black Basta and Bl00dy ransomware groups target ScreenConnect servers
Black Basta and Bl00dy are among the cyber criminal groups that have exploited a maximum severity authentication bypass vulnerability in ScreenConnect servers. The flaw enables attackers to create admin accounts, delete users, and take over vulnerable instances. Black Basta also claimed an attack on Hyundai Motor Europe that allegedly compromised 3TB of corporate data.