Cyberattacks targeting Active Directory (AD) are on the upswing, putting pressure on AD, identity, and security teams to monitor the constantly shifting AD-focused threat landscape. To help IT pros better understand and guard against attacks involving AD, the Semperis Research Team offers this monthly roundup of recent cyberattacks that used AD to introduce or propagate malware.

This month, the Semperis Research Team highlights new information about recent identity-related attacks, including the HermeticWiper attacks on Ukrainian organizations, the Lapsus$ (aka Dev-0537) social engineering campaign, and AvosLocker hits on critical infrastructure targets.

Attackers gained AD access, deployed HermeticWiper in attacks on Ukrainian organizations

In a campaign that was months in planning, threat actors gained access to AD servers and deployed HermeticWiper malware through the default domain policy.

Read more

Lapsus$ aka Dev-0537 uses social engineering and extortion to access information systems

Through social engineering and extortion, ransomware group Lapsus$ (Dev-0537) used compromised credentials to access organizations’ information systems, including identity providers such as Azure Active Directory and Okta.

Read more

Ransomware service AvosLocker hits critical infrastructure targets

Using various methods to gain domain admin privileges on victims’ AD accounts, ransomware-as-a-service group AvosLocker targeted multiple organizations across critical infrastructure sectors, including government organizations, manufacturing, and financial services.

Read more

LockBit 2.0 takes responsibility for Bridgestone attack

Ransomware-as-a-service group LockBit 2.0 recently claimed responsibility for attacks on Japanese automotive supplier Bridgestone. LockBit uses various tactics, techniques, and procedures (TTPs) to compromise victim organizations, including abusing AD group policies to encrypt devices across Windows domains.

Read more

CISA renews PrintNightmare patch and MFA configuration warnings

The Cybersecurity and Infrastructure Security Agency (CISA), in a joint advisory with the FBI, issued new warnings that Russian hackers are actively exploiting unpatched flaws, such as PrintNightmare, and risky practices, such as unenforced MFA policies, that enable them to gain access to networks and deploy malware.

Read more

More resources

Hiding in Plain Sight — Discovering Hidden Active Directory Objects | Semperis
Introducing the Golden GMSA Attack | Semperis
Defending Hybrid Identity Environments Against Cyberattacks | Semperis

The post Identity Attack Watch: March 2022 appeared first on Semperis.