As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks and provides additional resources for guarding against identity-related attacks. In this month’s round-up, Cuttlefish malware compromises routers to steal credentials, Okta reports increased password spraying and brute-force attacks on customers, and Omni Hotels recovers from a breach that took down business-critical systems.

Cuttlefish malware compromises routers to steal credentials

New malware called Cuttlefish is infecting enterprise and home office routers to steal credentials. The malware bypasses detection from typical security measures that monitor unusual logons, exfiltrates authentication data, and conducts DNS and HTTP hijacking.

Take action against credential stuffing: Poor credential security is one of the misconfigurations called out in NSA’s list of top security misconfigurations. See our tips for correcting some of the most common credential security gaps.

Credential theft behind Change Healthcare breach

UnitedHealth confirmed that the BlackCat ransomware group compromised Change Healthcare in February 2024 by stealing credentials from a Citrix remote access service that did not have MFA enabled.

Take action against MFA fatigue attacks: For tips on how to protect against MFA misconfigurations, check out How to Defend Against MFA Fatigue Attacks.

Okta reports increased brute-force and password-spraying attacks on customers

Identity and access management (IAM) company Okta has warned of “unprecedented” credential stuffing attacks against its customers involving brute-force and password-spraying techniques. Okta offered guidance for preventing these attacks, including blocking suspicious IP addresses.

Take action against password spraying and brute-force attacks: Check out our product team blog about using ML-powered attack pattern detection for more information about how to prevent widespread and notoriously successful attacks such as password spraying and brute-force attacks.

US issues password compromise warning after Sisense attack

In the wake of the password attack against business analytics company Sisense, the US government warned the company’s customers to reset their credentials. As a provider of business insights to more than 2,000 companies, including Nasdaq and ZoomInfo, Sisense is a lucrative target for supply-chain attacks.

Sean Deuby, Semperis principal technologist, told Dark Reading, “As we know from recent breaches disclosed by MGM Resorts and Caesars Palace, the supply chain continues to be the most difficult arena to secure, and it’s fertile ground for cyber adversaries.”

Take action against password compromises that can lead to supply-chain attacks: Check out our tips for closing common security gaps including password policy violations in Active Directory Security Best Practices.

Omni Hotels shuts down and restores systems in wake of cyberattack

Following a cyberattack that compromised its reservation, POS, payment, and door lock systems, Omni Hotels took systems offline to contain the breach before restoring systems, a move that likely helped them recover more quickly, according to Semperis VP of Sales Dan Lattimer, as reported in Hospitality Technology.

“For Omni and other hotel chains, when cyber breaches inevitably occur, eliminating single points of failure and having contingencies in place become critical to keeping services online and reducing significant chunks of downtime,” Lattimer said. “In the hospitality industry, specifically, too much downtime can result in significant revenue losses. Today, there’s no silver bullet that will solve the cybersecurity challenges facing most organizations. I recommend companies identify the critical services that are ‘single points of failure’ for the business.”

Take action against business-disrupting identity system outages: In 9 out of 10 cyberattacks, the victim organization’s primary identity store—typically Active Directory—is the ultimate target. For a comprehensive guide to backing up and recovering Active Directory from a cyber disaster, check out Active Directory Disaster Recovery Plan Covering Cyberattacks.

More resources

The Risks of Pre-Windows 2000 Compatibility Access (

Accelerate AD and Entra ID Protection | Semperis

Why Cyber Threats Are Attacking Active Directory | Semperis

The post Identity Attack Watch: AD Security News, April 2024 appeared first on Semperis.