As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, ramifications of the Okta breach expand, attackers target a Japanese space agency’s Active Directory, and the BlackCat/ALPHV ransomware group launches repeated attacks on healthcare company Henry Schein.
Okta attack compromised customer support user data
Attackers targeting Okta in an October attack obtained customer support system user data. Okta noted that many of the exposed users were administrators, some of whom hadn’t implemented MFA, prompting the company to recommend implementing MFA for admin access, requiring re-authentication for admin sessions from new IP addresses, setting admin session timeouts, and increasing vigilance against phishing attempts.
Attackers target Japanese space agency’s Active Directory
An attack on the Japanese space agency JAXA targeted the organization’s Active Directory server, potentially exposing critical information including employee credentials.
Healthcare company Henry Schein suffers repeat attack by BlackCat/ALPHV
Large U.S.-based healthcare products and services provider Henry Schein suffered a second attack in November after the BlackCat/ALPHV ransomware group first targeted the company in October. The attack took down some of its applications and e-commerce platform. ALPHV/BlackCat often targets Active Directory to gain entry into information systems before dropping malware.
MOVEit attack claims Welltok healthcare provider, AutoZone, and state of Maine
U.S. healthcare provider Welltok reported that it was the victim of the attack on MOVEit Transfer servers launched by the Clop ransomware group, and that the breach impacted more than 8 million people. AutoZone also reported that it was the victim of the MOVEit attack, as did the state of Maine.
LockBit claims attacks on Canadian government contractors and Boeing
Ransomware group LockBit has taken responsibility for attacks on two Canadian government contractors that exposed sensitive information about government employees. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains. Airline manufacturer Boeing also reported that it was the victim of a LockBit attack.
Black Basta group behind attack on Toronto Public Library
Ransomware group Black Basta, whose tactics include targeting organizations’ Active Directory, claimed responsibility for an attack on the Toronto Public Library that compromised personal information of employees, customers, volunteers, and donors.