As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, Microsoft warns of the Octo Tempest threat actor, new Rorschach (aka BabLock) ransomware hits a Chilean telecom company, and ALPHV/BlackCat makes multiple strikes.
Microsoft warns about Octo Tempest threat actor
Microsoft released a detailed profile of threat actor Octo Tempest, which partners with the ALPHV/BlackCat ransomware group to unleash data extortion and ransomware attacks against organizations providing telecommunications, email, and tech services. Microsoft recommends monitoring and reviewing identity-related processes, among other guidelines.
Lazarus group repeatedly targets software vendor and TeamCity servers
North Korean cybercriminal group Lazarus repeatedly targeted a software vendor to deploy SIGNBT malware and claimed responsibility for an attack on TeamCity, which makes continuous integration and deployment servers. Lazarus’ methods include compromising Active Directory to obtain lists of admin accounts.
Chilean telecom hit by new Rorschach ransomware that targets domain controllers
Grupo GTD, a Chilean telecom that offers services throughout Latin America, was targeted by new ransomware called Rorschach (aka BabLock), which is deployed through a DLL side-loading technique. When executed on a Windows domain, the ransomware creates a Group Policy to propagate malware to other hosts.
ALPHV/BlackCat breaches Seiko, Florida circuit court, and MotelOne
ALPHV/BlackCat ransomware group claimed attacks on watchmaker Seiko, the Florida circuit court, and low-budget hotel chain MotelOne. ALPHV/BlackCat routinely targets Active Directory to gain entry into information systems before dropping malware.
Password management platform 1Password targeted in Okta breach
Cyberattackers gained access to the Okta ID management tenant of 1Password, a password management platform, although the company claimed that it terminated the malicious activity and found no evidence of data compromise. (For information about how to mitigate Okta vulnerabilities, check out Using Purple Knight to Detect the Okta Super Admin Attack – Semperis.)
Sony falls victim to MOVEit attack
Entertainment giant Sony disclosed that employee information was exposed in the attacks on the MOVEit Transfer platform conducted by Clop ransomware group, which uses methods including compromising victims’ Active Directory (AD) servers and dropping malware.