As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s roundup, LockBit targets Papercut servers, BlackBasta hits the Canadian Yellow Pages, and BlackCat/ALPHV compromises NCR’s Aloha point-of-sale (POS) system.

Papercut attacks attributed to Clop and LockBit ransomware groups

Microsoft attributed attacks on Papercut printing management software to the Clop and LockBit ransomware groups. LockBit’s tactics include exploiting Active Directory Group Policy vulnerabilities.

Read more

Black Basta claims attacks on Canadian Yellow Pages and Capita

Ransomware-as-a-service (RaaS) group Black Basta claimed responsibility for an attack on Canadian directory publisher Yellow Pages Group. Black Basta uses various tactics to compromise systems, including deploying QBot, which extracts Windows domain credentials and then drops malware on infected devices. Black Basta also claimed an attack on Capita, a London-based outsourcing group. That attack prevented access to Capita’s Microsoft Office 365 applications.

Read more

BlackCat/ALPHV claims attack on NCR

BlackCat hit NCR’s Aloha POS platform with an attack that targeted its datacenters, causing an outage that affected routine operations including payroll services. BlackCat’s tactics include targeting Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads.

Read more

More resources

5 New Ways to Secure Active Directory and Azure Active Directory | Semperis
AD Security 101: AD Monitoring for Malicious Changes | Semperis
AD Security 101: SIEM Tools and AD Monitoring | Semperis

The post Identity Attack Watch: AD Security News, April 2023 appeared first on Semperis.