Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.
This month, the Semperis Research Team highlights the emerging Bloody Ransomware Gang, an SEO poisoning campaign that could lead to an Active Directory compromise, and multiple attacks claimed by the Hive ransomware group.
Emerging ransomware group uses leaked LockBit builder in attacks on Ukrainian entity
The Bloody Ransomware Gang, which started operating in May 2022 with attacks on New York medical and dental practices, used a LockBit 3.0 ransomware builder that was leaked on Twitter to launch attacks on a Ukrainian organization. The LockBit group uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.
SEO poisoning campaign compromises multiple organizations
Cybercriminals used an SEO poisoning campaign to attack several organizations by targeting employees who use certain search terms and leading them to click on malicious search results. Victims who click on resources offered in fake forum pages unleash malware that collects user information that could expose the internal corporate domain name of the organization, potentially leading to an Active Directory compromise.
Lapsus$ breaches Uber’s internal systems
Teenage cybercrime group Lapsus$ claimed responsibility for an attack that compromised Uber’s systems, including its Slack channel and intranet websites. Microsoft has warned of various tactics Lapsus$ uses, including exploiting flaws in tools such as Confluence and GitLab to obtain privileged account credentials and use a built-in Microsoft command (ntdsutil) to extract the AD database of a targeted network.
Hive group claims responsibility for attacks on organizations in New York and Canada
The Hive ransomware group took credit for attacks last summer on the New York Racing Association and Empress EMS, a New York-based emergency service and ambulance provider. Hive also recently claimed an attack on the Bell Canada subsidiary Bell Technical Solutions. Among other tactics, Hive uses remote admin software to infiltrate systems and establish persistence, then deploys tools such as ADRecon to map the AD environment.
BlackCat claims attack on Italian energy agency
The BlackCat (aka AlphV) ransomware group claimed responsibility for an attack on Italian energy agency Gestore dei Servizi Energetici SpA (GSE) that took out its web site and other systems. Microsoft recently warned that the BlackCat ransomware group targets Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.
More resources
