As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, Midnight Blizzard hits Microsoft and HPE, Cactus ransomware group targets Schneider Electric, and LockBit claims attacks on EquiLend and Capital Health.
Midnight Blizzard attack on Microsoft involved password spray, lack of MFA, and privilege escalation
The attack by Midnight Blizzard (also known as Nobelium or APT29) that breached Microsoft executives’ email accounts included various tactics, including password spray brute-force attacks and residential proxies, to gain access to a non-production test tenant account that did not have MFA enabled. Once threat actors gained access to the account, which had elevated access to the company’s corporate environment, the threat actors were able to escalate their access. Midnight Blizzard also targeted Hewlett-Packard Enterprise (HPE) email accounts.
Cactus ransomware hits Schneider Electric
The Cactus ransomware gang, which uses purchased credentials and other tactics to breach networks and gain administrative privileges, claimed responsibility for a cyberattack on energy company Schneider Electronic.
LockBit claims responsibility for EquiLend breach
Ransomware group LockBit claimed an attack on global fintech company EquiLend that disrupted services just a week after the company announced its upcoming acquisition by a private equity firm.
Jason’s Deli hit by credential stuffing attacks
Threat actors compromised customers’ personal data in a credential stuffing attack against Jason’s Deli, a U.S. restaurant chain.
New authentication bypass vulnerability exposes GoAnywhere Managed File Transfer to attacks
A newly discovered flaw in GoAnywhere Managed File Transfer versions before 7.4.1 enables attackers to create a new admin user through the product’s administration portal, which could lead to device takeover.
Akira ransomware group targets Swedish company Tietoevry
The Akira ransomware group compromised accounts that weren’t protected by MFA to launch an attack that took down datacenters of Swedish company Tietoevry.
LockBit targets Capital Health in ransomware attack
LockBit ransomware group claimed an attack on Capital Health, a primary healthcare provider in New Jersey and Pennsylvania, that extracted sensitive patient medical data for extortion purposes. LockBit’s tactics include exploiting vulnerabilities in AD.