Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights Microsoft’s warnings about the novel Prestige ransomware campaign, more Hive activity, and new Exchange Server zero-day attacks.
Microsoft warns about Prestige ransomware
The Microsoft Threat Intelligence Center (MSTIC) warned about a novel ransomware campaign against transportation and logistics organizations in Ukraine and Poland. The attackers leverage access to highly privileged credentials, such as domain admin, to propagate malware through tactics including copying the ransomware payload to an Active Directory domain controller and deploying through the Default Domain Group Policy Object.
Hive ransomware group hits Indian energy company Tata Power
The Hive ransomware group claimed responsibility for a cyberattack on Indian energy company Tata Power that compromised IT systems and leaked stolen employee data. Among other tactics, Hive, which also claimed responsibility for the recent attack on the Costa Rican government, uses remote admin software to infiltrate systems and establish persistence, then deploys tools such as ADRecon to map the AD environment.
Microsoft warns about new Exchange Server zero-day attacks
Attackers are using new zero-day exploits to compromise networks and steal data by gaining access to internal services and executing remote code. The vulnerabilities allow attackers “hands-on-keyboard access,” which they use to perform Active Directory reconnaissance.
LockBit ransomware group targets UK car dealer Pendragon
The LockBit ransomware gang breached Pendragon Group, which owns 200 car dealerships in the UK, allegedly stealing some data but failing to extract ransom from Pendragon. The LockBit group uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.