Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights actions to mitigate two Active Directory vulnerabilities that could allow attackers to take over Windows domains, the Log4j vulnerability, and new activity from the Cuba ransomware group.
Patching and additional actions advised to address Active Directory vulnerabilities
After releasing security patches for two Active Directory vulnerabilities during the November 2021 Patch Tuesday, Microsoft urged customers on December 20 to apply the patches immediately to prevent attackers from taking over Windows domains. In addition to patching, organizations can take additional actions to prevent unauthorized creation of accounts that could lead to escalation of privileges and an attack.
Conti ransomware weaponizes Log4j vulnerability
The Russia-based Conti group has developed a comprehensive attack chain based on the Log4j vulnerability in the Apache logging library uncovered in December. The attack methodology includes Kerberoasting, which extracts service account credentials from Active Directory. The Log4j vulnerability is suspected in a ransomware attack on Kronos, one of the largest human resources software companies, disrupting payroll systems for organizations including the New York Metropolitan Transportation Authority (MTA) and many hospitals.
FBI warns of Cuba ransomware group activity targeting critical infrastructure
The U.S. Federal Bureau of Investigation (FBI) uncovered tactics, including compromised credentials, used by the Cuba ransomware group to compromise dozens of critical infrastructure entities in industries spanning healthcare, government, and other industries.
ALPHV BlackCat ransomware tactics include configuring domain credentials
Research group MalwareThreatHunter uncovered ALPHV BlackCat, sophisticated new ransomware that includes a customizable feature set that allows threat actors to—among other tactics—configure domain credentials to spread malware and encrypt devices on the network.
More Resources
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.