Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights identity-related cyberattacks including details about the MeteorExpress breach of Iran’s train system, several Microsoft vulnerabilities including PetitPotam and SeriousSam, and a new zero-day breach of SolarWinds software.
MeteorExpress wiper attack used Active Directory to compromise Iran’s train system
A wiper attack on Iran’s train system used Active Directory Group Policy to push malware across the network that encrypted files and deleted Volume Shadow Copy Service (VSS) backups, complicating recovery.
Microsoft addresses several identity-related vulnerabilities
In a series of warnings, patches, and workarounds, Microsoft addressed a string of identity-related vulnerabilities in its software, including the PetitPotam attacks against Windows domain controllers, a critical PowerShell 7 code execution vulnerability, and the SeriousSam attack that allows anyone to read the registry in Windows 10. The company also added PrintNightmare detection to Microsoft Defender for Identity, and added the ability in Microsoft Defender for security operations teams to lock a compromised user’s Active Directory account.
CISA warns agencies to patch Windows Print Spooler vulnerability
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) directed executive branch agencies to immediately apply the out-of-band patch that Microsoft released on July 7 to fix the Windows Print Spooler vulnerability dubbed PrintNightmare.
Attackers used zero-day flaw to breach SolarWinds again
SolarWinds reported that threat actors used a zero-day flaw in its Serv-U Managed File Transfer and Serv-U Secure FTP software to carry out targeted attacks that appear to be unrelated to the sweeping attack on its Orion software uncovered in late 2020.
REvil unleashes far-reaching supply-chain attack via Kaseya
The REvil ransomware group used the zero-day vulnerability to deliver malware through a fake, automated update to Kaseya’s VSA solution, which managed service providers (MSPs) across the U.S. and the United Kingdom use to manage their clients’ systems.
Authorities orchestrate takedown of DoubleVPN server used by cybercriminals
Led by the Dutch National Police, a consortium of authorities from the U.S., Europe, and Canada seized the web domains and server infrastructure of DoubleVPN, a VPN used by cybercriminals to mask their locations and identities.
AvosLocker uses DC vulnerabilities to target victims
A new ransomware group, AvosLocker, targets vulnerable domain controllers to gain entry into information systems and deliver malware to its victims, including the Ohio city of Geneva.
More Resources
Want to strengthen defenses of your Active Directory against cyberattacks? Check out our latest resources.