Cyberattacks targeting Active Directory (AD) are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights new information about recent identity-related attacks, including the HermeticWiper attacks on Ukrainian organizations, the Lapsus$ (aka Dev-0537) social engineering campaign, and AvosLocker hits on critical infrastructure targets.
Attackers gained AD access, deployed HermeticWiper in attacks on Ukrainian organizations
In a campaign that was months in planning, threat actors gained access to AD servers and deployed HermeticWiper malware through the default domain policy.
Lapsus$ aka Dev-0537 uses social engineering and extortion to access information systems
Through social engineering and extortion, ransomware group Lapsus$ (Dev-0537) used compromised credentials to access organizations’ information systems, including identity providers such as Azure Active Directory and Okta.
Ransomware service AvosLocker hits critical infrastructure targets
Using various methods to gain domain admin privileges on victims’ AD accounts, ransomware-as-a-service group AvosLocker targeted multiple organizations across critical infrastructure sectors, including government organizations, manufacturing, and financial services.
LockBit 2.0 takes responsibility for Bridgestone attack
Ransomware-as-a-service group LockBit 2.0 recently claimed responsibility for attacks on Japanese automotive supplier Bridgestone. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.
CISA renews PrintNightmare patch and MFA configuration warnings
The Cybersecurity and Infrastructure Security Agency (CISA), in a joint advisory with the FBI, issued new warnings that Russian hackers are actively exploiting unpatched flaws, such as PrintNightmare, and risky practices, such as unenforced MFA policies, that enable them to gain access to networks and deploy malware.