As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s roundup, Spain warns of phishing attacks that used LockBit Locker ransomware, Rhysida ransomware group claimed an attack on Prospect Medical, and BlackCat targeted Seiko watch manufacturer.

LockBit Locker ransomware campaign targets architecture firms in Spain

A ransomware group believed to be unaffiliated with the LockBit group used LockBit Locker encryption technology in a campaign against Spanish architecture companies. The campaign uses phishing emails impersonating a photography store to gain access to admin privileges on Windows machines.

Read more

Rhysida group claims attack on Prospect Medical

The Rhysida ransomware group claimed an attack on Prospect Medical Holdings that extracted 500,000 Social Security numbers, corporate documents, and patient records. Among other tactics, Rhysida uses a PowerShell script to compromise machines, including terminating RDP configurations and changing Active Directory passwords.

Read more

BlackCat claims attack on Seiko watch manufacturer

Japanese watchmaker Seiko suffered a ransomware attack by the BlackCat/ALPHV group that leaked production plans, employee passport scans, lab test results, and prospective watch design information. BlackCat targets Active Directory to gain entry into information systems before dropping malware.

Read more

Cuba ransomware group targets critical infrastructure in U.S. and Latin America

The Cuba ransomware group compromised critical infrastructure organizations in the U.S. and Latin America by exploiting a vulnerability in Microsoft’s NetLogon protocol to conduct privilege escalation against Active Directory domain controllers.

Read more

MOVEit breach extends to Colorado, Missouri, and U.S. government contractor Serco

The MOVEit breach conducted by Clop ransomware hit more victims, including the Colorado Department of Health Care Policy & Financing (HCPF), Missouri’s Department of Social Services, and U.S. government contractor Serco. Clop’s attack methods include targeting the victim’s entire network by compromising the Active Directory (AD) server and dropping malware.

Read more

More resources

Protecting Active Directory from Kerberoasting – Semperis

Semperis Offers New Protection Against Okta Breaches – Semperis

AD Security 101: Securing Primary Group IDs – Semperis

The post Identity Attack Watch: AD Security News, August 2023 appeared first on Semperis.