As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks. In this month’s round-up of identity-related attacks, Rhysida ransomware group claims attacks on Lurie Children’s Hospital and Sony subsidiary Insomniac Games, BlackCat/ALPHV targets multiple victims, and LockBit attacks Fulton County, Georgia.

Rhysida claims attack on Chicago children’s hospital

The Rhysida ransomware group claimed an attack on Lurie Children’s Hospital, a pediatric acute care facility in Chicago, that took systems offline and postponed medical care. Among other tactics, Rhysida uses a PowerShell script to compromise machines, including terminating RDP configurations and changing Active Directory passwords. Rhysida also claimed an attack on Sony subsidiary Insomniac Games.

Read more

BlackCat/ALPHV claims attack on Change Healthcare, Hessen Consumer Center, loanDepot, Prudential Financial

Ransomware gang BlackCat/ALPHV claimed the cyberattack on Optum, a subsidiary of UnitedHealth Group, which disrupted services of the Change Healthcare payment exchange platform used by more than 70,000 US pharmacies. The cyber criminal group, which claims they stole 6TB of Change Healthcare data, uses various methods to compromise organizations’ systems, including Active Directory. BlackCat/ALPHV also claimed attacks on Hessen Consumer Center, a nonprofit organization in Frankfurt, Germany, that provides consumer advocacy information to area residents; loanDepot; and Prudential Financial.

Read more

U-Haul customer records compromised in credential theft

An unknown attacker used stolen credentials to compromise customer records of U-Haul, a US company that rents moving equipment and storage units.

Read more

LockBit claims attack on Fulton County, Georgia

Fulton County, Georgia, home of Atlanta, was targeted in a LockBit ransomware group attack that caused widespread IT outages.

Read more

Black Basta and Bl00dy ransomware groups target ScreenConnect servers

Black Basta and Bl00dy are among the cyber criminal groups that have exploited a maximum severity authentication bypass vulnerability in ScreenConnect servers. The flaw enables attackers to create admin accounts, delete users, and take over vulnerable instances. Black Basta also claimed an attack on Hyundai Motor Europe that allegedly compromised 3TB of corporate data.

Read more

More resources

NSA Top Ten Cybersecurity Misconfigurations: An Active Directory Perspective – Semperis

Meet Silver SAML: Golden SAML in the Cloud | Semperis

Why Cyber Threats Are Attacking Active Directory | Semperis

The post Identity Attack Watch: AD Security News, February 2024 appeared first on Semperis.