Cyberattacks targeting Active Directory are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights increased activity by Conti, BlackCat attackers targeting Exchange servers, and more.

Conti group attacks 40 organizations in one month

The Conti ransomware-as-a-service (RaaS) group conducted a campaign that breached more than 40 organizations in one month at the end of 2021. Conti, whose tactics include compromising Active Directory domain credentials, frequently monitors Windows updates and analyzes changes from new patches to uncover new attack approaches.

Read more

CISA urges organizations to adopt Exchange Online Modern Auth

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) urged agencies and private organizations that use the Microsoft Exchange cloud email platform to switch from legacy authentication models to Modern Auth (Active Directory Authentication Library and OAuth 2.0 token-based authentication) to guard against password spray attacks.

Read more

BlackCat attackers target Exchange servers to gather Active Directory info

Microsoft recently warned that the BlackCat ransomware group is now targeting Exchange servers to gather Active Directory information needed to compromise the environment and drop file-encrypting payloads. In addition to updating Exchange servers and monitoring external network access, Microsoft recommends that organizations review their identity security posture.

Read more

Vice Society ransomware group attacks Italian city of Palermo

Vice Society, which exploits known vulnerabilities on unpatched systems—including the PrintNightmare flaw—claimed responsibility for a cyberattack on Palermo, Italy. The attack caused a large-scale outage of online services.

Read more

Black Basta group partners with QBot malware operation to compromise corporate environments

Black Basta, a new ransomware group, has found quick success in compromising corporate environments by teaming up with the makers of QBot (aka QuakBot), Windows malware that steals bank credentials and Windows domain credentials, then drops malware on infected devices.

Read more


More resources

Top Tips for Protecting Active Directory | Semperis
7 Active Directory Misconfigurations to Find and Fix—Now | Semperis
So You’ve Been Breached – What Now? | Semperis

The post Identity Attack Watch: June 2022 appeared first on Semperis.